forked from liquidworm/advisory
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ZSL-2010-4931
70 lines (37 loc) · 1.96 KB
/
ZSL-2010-4931
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
VLC media player 1.0.5 Goldeneye (bookmarks) Remote Buffer Overflow PoC
Advisory: http://zeroscience.mk/en/vulnerabilities/ZSL-2010-4931.php
Summary: VLC media player is a highly portable multimedia player
and multimedia framework capable of reading most audio
and video formats (MPEG-2, MPEG-4, H.264, DivX, MPEG-1,
mp3, ogg, aac ...) as well as DVDs, Audio CDs VCDs, and
various streaming protocols.
Description: VLC media player is vulnerable to a buffer overflow
attack when processing .mp3 file and its metadata.
It fails to perform boundry checks when creating a
bookmark from the malicious media file playing,
resulting in a crash, overwriting ECX register.
While the evil .mp3 is playing, you go Playback >
Bookmarks > Manage bookmarks > Create.
Tested on Microsoft Windows XP Professional SP3 (EN)
Version affected: 1.0.5 Goldeneye
Product web page: http://www.videolan.org
Vendor: VideoLAN team
-------------------------------------------------------------------------
(e48.10fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=039fe008 ebx=00001200 ecx=41414141 edx=03b7ab88 esi=039fe000 edi=004d0000
eip=7c911895 esp=04befcd8 ebp=04befcf0 iopl=0 nv up ei ng nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010293
ntdll!RtlInitializeCriticalSection+0x298:
7c911895 8901 mov dword ptr [ecx],eax ds:0023:41414141=????????
-------------------------------------------------------------------------
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk
28.02.2010
PoC:
http://zeroscience.mk/codes/aimp2_evil.mp3
[mirror] http://milw0rm.com/sploits/2009-aimp2_evil.mp3
[mirror] http://securityreason.com/download/11/13
//EOF