CVE-2008-4654 PoC — VLC媒体播放器TY文件处理栈溢出漏洞

Source

https://github.com/KernelErr/VLC-CVE-2008-4654-Exploit

Associated Vulnerability

Title:VLC媒体播放器TY文件处理栈溢出漏洞 (CVE-2008-4654)
Description:VideoLAN VLC media player是法国VideoLAN组织开发的一款免费、开源的跨平台多媒体播放器（也是一个多媒体框架）。该产品支持播放多种介质（文件、光盘等）、多种音视频格式（WMV, MP3等）等。 VLC媒体播放器的modules\demux\Ty.c文件没有正确地解析的TiVo ty媒体文件，如果用户受骗打开了畸形的媒体文件就会触发栈溢出，导致执行任意指令。

Description

An EXP could run on Windows x64 against CVE-2008-4654.

Readme

# VLC-CVE-2008-4654-Exploit
Well, it's just an old vulnerability whose CVE number is CVE-2008-4654. This vulnerability is caused by Out of Memory at line 1650 of modules/demux/ty.c.
```
stream_Read(p_demux->s, mst_buf, 8 + i_map_size);
```
When I downloaded the EXP from other websites, I found that it doesn't work correctly on my Windows 7 Ultimate x64. So I change the return address from 0x68f0cfad to 0x6a314b52, then it works!

Old:
```
0x68f0cfad : jmp esp 
{PAGE_EXECUTE_READ} [libqt4_plugin.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
```

After I found this module doesn't exist, I changed into:
```
0x6a314b52 : push esp # ret
{PAGE_EXECUTE_READ} [libvlc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
```

It works on VLC 0.9.4. Have fun!

File Snapshot


 [4.0K]  /data/pocs/baa7eeba68ea48ab56ba14ae5b817f6a1b78566c
├── [3.2K]  CVE-2008-4654-Exploit.py
└── [ 778]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!