# Exploit Title: VLC 2.1.3 WriteAV Vulnerability, Decoders # Date: 2014/02/20 # Exploit Author: kw4 # Software Link: http://www.videolan.org/vlc/index.html # Version: 2.1.3 # Impact Med/High # Tested on: Windows 7 64 bits Memory corruption when VLC tries to load crafted .avs files. (2b10.2750): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=1a6fdbf8 ebx=15778b88 ecx=00000310 edx=1a2843c0 esi=1a284360 edi=00000311 eip=540716b4 esp=1b34fd50 ebp=00000480 iopl=0 nv up ei pl nz na po nc HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x1a285000 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Write Access Violation Faulting Instruction:540716b4 fstp dword ptr [edx+ecx*4] Exception Hash (Major/Minor): 0xf1ffd179.0x98f1d37c Hash Usage : Stack Trace: Major+Minor : libmpgatofixed32_plugin+0x16b4 Major+Minor : libvlccore!vlc_getProxyUrl+0x411 Major+Minor : libvlccore!aout_FiltersPlay+0x7a Major+Minor : libvlccore!aout_CheckChannelExtraction+0x17f3 Major+Minor : libvlccore!input_Control+0x1431 Minor : libvlccore!input_Control+0x1708 Minor : libvlccore!input_Control+0x33c5 Minor : ntdll!RtlImageNtHeader+0x30e Minor : libvlccore!vlc_threadvar_set+0x24 Minor : libvlccore!vlc_threadvar_delete+0x128 Minor : msvcrt!endthreadex+0x6c Minor : kernel32!BaseThreadInitThunk+0x12 Excluded : ntdll!RtlInitializeExceptionChain+0x63 Excluded : ntdll!RtlInitializeExceptionChain+0x36 Instruction Address: 0x00000000540716b4 Description: User Mode Write AV Short Description: WriteAV Exploitability Classification: EXPLOITABLE Exploitable - User Mode Write AV starting at libmpgatofixed32_plugin+0x00000000000016b4 (Hash=0xf1ffd179.0x98f1d37c) 0:010> kd 176efd68 00000102 176efd6c 573a5f11 libvlccore!vlc_getProxyUrl+0x411 176efd70 00000001 176efd74 7efde000 176efd78 176efd98 176efd7c 1a1d2fc8 176efd80 1a1d2fd8 176efd84 00000001 176efd88 00000001 176efd8c 5737dcca libvlccore!aout_FiltersPlay+0x7a 176efd90 15a9cd44 176efd94 1a16ab88 176efd98 00000002 176efd9c 00000000 176efda0 00000000 176efda4 00002710 176efda8 00000000 176efdac 1a16ab88 176efdb0 000283e4 176efdb4 000003e8 Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/31899.avs