VideoLAN VLC Media Player 2.1.3 - '.avs' Crash (PoC)

EDB-ID:

31899

CVE:


EDB Verified:

Author:

kw4

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2014-02-25

Vulnerable App: 
# Exploit Title:  VLC  2.1.3  WriteAV Vulnerability, Decoders
# Date: 2014/02/20
# Exploit Author: kw4
# Software Link: http://www.videolan.org/vlc/index.html
# Version: 2.1.3
# Impact Med/High
# Tested on: Windows 7 64 bits

Memory corruption when VLC tries to load crafted .avs files.

(2b10.2750): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=1a6fdbf8 ebx=15778b88 ecx=00000310 edx=1a2843c0 esi=1a284360
edi=00000311
eip=540716b4 esp=1b34fd50 ebp=00000480 iopl=0         nv up ei pl nz na po
nc

HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x1a285000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:540716b4 fstp dword ptr [edx+ecx*4]

Exception Hash (Major/Minor): 0xf1ffd179.0x98f1d37c

 Hash Usage : Stack Trace:
Major+Minor : libmpgatofixed32_plugin+0x16b4
Major+Minor : libvlccore!vlc_getProxyUrl+0x411
Major+Minor : libvlccore!aout_FiltersPlay+0x7a
Major+Minor : libvlccore!aout_CheckChannelExtraction+0x17f3
Major+Minor : libvlccore!input_Control+0x1431
Minor       : libvlccore!input_Control+0x1708
Minor       : libvlccore!input_Control+0x33c5
Minor       : ntdll!RtlImageNtHeader+0x30e
Minor       : libvlccore!vlc_threadvar_set+0x24
Minor       : libvlccore!vlc_threadvar_delete+0x128
Minor       : msvcrt!endthreadex+0x6c
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x00000000540716b4

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Exploitable - User Mode Write AV starting at
libmpgatofixed32_plugin+0x00000000000016b4 (Hash=0xf1ffd179.0x98f1d37c)


0:010> kd
176efd68  00000102
176efd6c  573a5f11 libvlccore!vlc_getProxyUrl+0x411
176efd70  00000001
176efd74  7efde000
176efd78  176efd98
176efd7c  1a1d2fc8
176efd80  1a1d2fd8
176efd84  00000001
176efd88  00000001
176efd8c  5737dcca libvlccore!aout_FiltersPlay+0x7a
176efd90  15a9cd44
176efd94  1a16ab88
176efd98  00000002
176efd9c  00000000
176efda0  00000000
176efda4  00002710
176efda8  00000000
176efdac  1a16ab88
176efdb0  000283e4
176efdb4  000003e8


Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/31899.avs
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services