Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: VLC media player MKV Parsing POC
From: Źmicier Januszkiewicz <gauri () tut by>
Date: Wed, 10 Jul 2013 11:56:14 +0200

Mario,

As far as I see, the code snippet provided (the only insn) dereferences an
attacker-controlled value. What happens next is not really clear since it
is only one insn in the dump and I am too lazy to actually install VLC and
dig in, but it shows that you can at least control the contents of ECX.

If Kaveh would be so kind as to post the following insns in the stream, we
could see what this may lead to. If the next insn is, say, CALL [EDX+10h],
well, there you go -- you own the control flow.


2013/7/10 Mario Vilas <mvilas () gmail com>

On Wed, Jul 10, 2013 at 10:57 AM, kaveh ghaemmaghami <
kavehghaemmaghami () googlemail com> wrote:

1.The crash you showed does not control eip
 (its not a stack-based bof)


And? You still need to control EIP or the exploit doesn't, you know,
actually work. :P


2.not even arbitrary memory
(check further instructions)


You posted only one instruction and it's a read operation, proving
nothing. You're either lazy or don't actually get what's going on.

--
“There's a reason we separate military and the police: one fights
the enemy of the state, the other serves and protects the people. When
the military becomes both, then the enemies of the state tend to become the
people.”

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]