Re: VLC media player MKV Parsing POC

[Źmicier Januszkiewicz <gauri () tut by>]

Mario,

As far as I see, the code snippet provided (the only insn) dereferences an
attacker-controlled value. What happens next is not really clear since it
is only one insn in the dump and I am too lazy to actually install VLC and
dig in, but it shows that you can at least control the contents of ECX.

If Kaveh would be so kind as to post the following insns in the stream, we
could see what this may lead to. If the next insn is, say, CALL [EDX+10h],
well, there you go -- you own the control flow.


2013/7/10 Mario Vilas <mvilas () gmail com>

> On Wed, Jul 10, 2013 at 10:57 AM, kaveh ghaemmaghami <
> kavehghaemmaghami () googlemail com> wrote:
>
> > 1.The crash you showed does not control eip
> >  (its not a stack-based bof)
>
> And? You still need to control EIP or the exploit doesn't, you know,
> actually work. :P
>
>
> > 2.not even arbitrary memory
> > (check further instructions)
>
> You posted only one instruction and it's a read operation, proving
> nothing. You're either lazy or don't actually get what's going on.
>
> --
> “There's a reason we separate military and the police: one fights
> the enemy of the state, the other serves and protects the people. When
> the military becomes both, then the enemies of the state tend to become the
> people.”
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/