# Exploit Title: VLC 2.1.3 WriteAV Vulnerability, Decoders
# Date: 2014/02/20
# Exploit Author: kw4
# Software Link: http://www.videolan.org/vlc/index.html
# Version: 2.1.3
# Impact Med/High
# Tested on: Windows 7 64 bits
Memory corruption when VLC tries to load crafted .avs files.
(2b10.2750): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=1a6fdbf8 ebx=15778b88 ecx=00000310 edx=1a2843c0 esi=1a284360
edi=00000311
eip=540716b4 esp=1b34fd50 ebp=00000480 iopl=0 nv up ei pl nz na po
nc
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x1a285000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
Faulting Instruction:540716b4 fstp dword ptr [edx+ecx*4]
Exception Hash (Major/Minor): 0xf1ffd179.0x98f1d37c
Hash Usage : Stack Trace:
Major+Minor : libmpgatofixed32_plugin+0x16b4
Major+Minor : libvlccore!vlc_getProxyUrl+0x411
Major+Minor : libvlccore!aout_FiltersPlay+0x7a
Major+Minor : libvlccore!aout_CheckChannelExtraction+0x17f3
Major+Minor : libvlccore!input_Control+0x1431
Minor : libvlccore!input_Control+0x1708
Minor : libvlccore!input_Control+0x33c5
Minor : ntdll!RtlImageNtHeader+0x30e
Minor : libvlccore!vlc_threadvar_set+0x24
Minor : libvlccore!vlc_threadvar_delete+0x128
Minor : msvcrt!endthreadex+0x6c
Minor : kernel32!BaseThreadInitThunk+0x12
Excluded : ntdll!RtlInitializeExceptionChain+0x63
Excluded : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x00000000540716b4
Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Exploitable - User Mode Write AV starting at
libmpgatofixed32_plugin+0x00000000000016b4 (Hash=0xf1ffd179.0x98f1d37c)
0:010> kd
176efd68 00000102
176efd6c 573a5f11 libvlccore!vlc_getProxyUrl+0x411
176efd70 00000001
176efd74 7efde000
176efd78 176efd98
176efd7c 1a1d2fc8
176efd80 1a1d2fd8
176efd84 00000001
176efd88 00000001
176efd8c 5737dcca libvlccore!aout_FiltersPlay+0x7a
176efd90 15a9cd44
176efd94 1a16ab88
176efd98 00000002
176efd9c 00000000
176efda0 00000000
176efda4 00002710
176efda8 00000000
176efdac 1a16ab88
176efdb0 000283e4
176efdb4 000003e8
Crafted avs file: http://www.exploit-db.com/sploits/31899.avs