| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 7 Dec 2012 22:08:47 +0330 From: kaveh ghaemmaghami <kavehghaemmaghami@...glemail.com> To: full-disclosure@...ts.grok.org.uk Subject: VLC media player 2.0.4 BOF POC Title : VLC media player 2.0.4 buffer overflow POC Version : 2.0.4 Twoflower Date : 2012-12-06 Vendor : http://www.videolan.org/vlc/ Impact : Med/High Contact : coolkaveh [at] rocketmail.com Twitter : @coolkaveh tested : windows XP SP3 Author : coolkaveh ##################################################################################################################### VLC media player (also known as VLC) is a highly portable free and open-source media player and streaming media server written by the VideoLAN project. It is a cross-platform media player, with versions for Microsoft Windows, OS X, GNU/Linux, Android, BSD, Solaris, iOS, Syllable, BeOS, MorphOS, QNX and eComStation ##################################################################################################################### Bug : ---- buffer overflow during the handling of the swf file context-dependent Successful exploits can allow attackers to execute arbitrary code ---- ###################################################################################################################### (7b4.a14): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=75737574 ebx=00e44c20 ecx=7ffd5000 edx=00e44e84 esi=038488c8 edi=000007c0 eip=75737574 esp=0196fb5c ebp=00000002 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206 Missing image name, possible paged-out or corrupt data. 75737574 ?? ??? 0:009>!exploitable -v eax=75737574 ebx=00e44c20 ecx=7ffd5000 edx=00e44e84 esi=038488c8 edi=000007c0 eip=75737574 esp=0196fb5c ebp=00000002 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206 75737574 ?? ??? HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\libvlccore.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll - Exception Faulting Address: 0x75737574 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Data Execution Protection (DEP) Violation Exception Hash (Major/Minor): 0x307d391a.0x6f0f1537 Stack Trace: Unknown libvlccore!vout_ReleasePicture+0x32 libavcodec_plugin!vlc_entry_license__1_2_0l+0xe09 libavcodec_plugin!vlc_entry_license__1_2_0l+0xdf26b libavcodec_plugin!vlc_entry_license__1_2_0l+0xdee0e libavcodec_plugin!vlc_entry_license__1_2_0l+0xdf37b ntdll!RtlFreeHeap+0x18b Instruction Address: 0x0000000075737574 Description: Data Execution Prevention Violation Short Description: DEPViolation Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0x0000000075737574 called from libvlccore!vout_ReleasePicture+0x0000000000000032 (Hash=0x307d391a.0x6f0f1537) User mode DEP access violations are exploitable. ################################################################################ Proof of concept included. http://www39.zippyshare.com/v/91522221/file.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists