VLC 2.1.3 - (.avs file) Crash PoC



EKU-ID: 3845 CVE: OSVDB-ID:
Author: kw4 Published: 2014-02-28 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title:  VLC  2.1.3  WriteAV Vulnerability, Decoders
# Date: 2014/02/20
# Exploit Author: kw4
# Software Link: http://www.videolan.org/vlc/index.html
# Version: 2.1.3
# Impact Med/High
# Tested on: Windows 7 64 bits
  
Memory corruption when VLC tries to load crafted .avs files.
  
(2b10.2750): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=1a6fdbf8 ebx=15778b88 ecx=00000310 edx=1a2843c0 esi=1a284360
edi=00000311
eip=540716b4 esp=1b34fd50 ebp=00000480 iopl=0         nv up ei pl nz na po
nc
  
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x1a285000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
  
Faulting Instruction:540716b4 fstp dword ptr [edx+ecx*4]
  
Exception Hash (Major/Minor): 0xf1ffd179.0x98f1d37c
  
 Hash Usage : Stack Trace:
Major+Minor : libmpgatofixed32_plugin+0x16b4
Major+Minor : libvlccore!vlc_getProxyUrl+0x411
Major+Minor : libvlccore!aout_FiltersPlay+0x7a
Major+Minor : libvlccore!aout_CheckChannelExtraction+0x17f3
Major+Minor : libvlccore!input_Control+0x1431
Minor       : libvlccore!input_Control+0x1708
Minor       : libvlccore!input_Control+0x33c5
Minor       : ntdll!RtlImageNtHeader+0x30e
Minor       : libvlccore!vlc_threadvar_set+0x24
Minor       : libvlccore!vlc_threadvar_delete+0x128
Minor       : msvcrt!endthreadex+0x6c
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x00000000540716b4
  
Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Exploitable - User Mode Write AV starting at
libmpgatofixed32_plugin+0x00000000000016b4 (Hash=0xf1ffd179.0x98f1d37c)
  
  
0:010> kd
176efd68  00000102
176efd6c  573a5f11 libvlccore!vlc_getProxyUrl+0x411
176efd70  00000001
176efd74  7efde000
176efd78  176efd98
176efd7c  1a1d2fc8
176efd80  1a1d2fd8
176efd84  00000001
176efd88  00000001
176efd8c  5737dcca libvlccore!aout_FiltersPlay+0x7a
176efd90  15a9cd44
176efd94  1a16ab88
176efd98  00000002
176efd9c  00000000
176efda0  00000000
176efda4  00002710
176efda8  00000000
176efdac  1a16ab88
176efdb0  000283e4
176efdb4  000003e8
  
  
Crafted avs file: http://www.exploit-db.com/sploits/31899.avs