subject:"\[Full\-disclosure\] VLC media player MKV Parsing POC"

Re: [Full-disclosure] VLC media player MKV Parsing POC

2013-07-10 Thread Edward Tivrusky

 Are you really that dumb or are you just pretending?

The crash you showed does not control eip. It's not even write access 
violation. Instead it's READ access violation. And you try to write into the 
register (not even arbitrary memory, hence even if read is successful you may 
or may not gain anything depending on further instructions).

Btw. Nice linkedin profile. You must be top-notch security expert.

Blya!
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VLC media player MKV Parsing POC

2013-07-10 Thread kaveh ghaemmaghami

1.The crash you showed does not control eip
(its not a stack-based bof)
2.not even arbitrary memory
(check further instructions)

On Wed, Jul 10, 2013 at 3:03 AM, kaveh ghaemmaghami 
kavehghaemmagh...@googlemail.com wrote:

 Hello list,
 regarding to nonsense VLC post

 http://www.jbkempf.com/blog/post/2013/More-lies-from-Secunia?pub=0#pr

 1.we said that this was a crash, not an exploitable security issue

 and funny publication Comment

 You forget to mention most important thing: If Secunia Research is
 professional, why don't they provide you with working exploit? (in example
 EIP = 0x41414141) I'm sure company like VUPEN would do just that to prove
 they point. Isn't worth to point out on other sites? (e.g. netsec)
 I really like this 
 https://twitter.com/Secunia/status/...https://twitter.com/Secunia/status/337140449712156672
  you can spot _two_ lies - first they don't find ANY vuln, second their
 lying about timeframe.


 Here is your VUPEN  0x41414141


 ModLoad: 64fb 650d8000   C:\Program Files
 (x86)\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll

 (be8.f0c): Access violation - code c005 (first chance)
 First chance exceptions are reported before any exception handling.
 This exception may be expected and handled.
 eax=02b92a18 ebx=0089 ecx=41414141 edx=0010 esi=02bccbd8
 edi=00890178
 eip=77163fbb esp=04d1f324 ebp=04d1f348 iopl=0 nv up ei ng nz na po
 cy
 cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
 efl=00010283
 ntdll!RtlImageNtHeader+0xe37:
 77163fbb 8b11mov edx,dword ptr [ecx]
  ds:002b:41414141=

 0:010 g

 (be8.f0c): Access violation - code c005 (!!! second chance !!!)
 eax=02b92a18 ebx=0089 ecx=41414141 edx=0010 esi=02bccbd8
 edi=00890178
 eip=77163fbb esp=04d1f324 ebp=04d1f348 iopl=0 nv up ei ng nz na po
 cy
 cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
 efl=00010283
 ntdll!RtlImageNtHeader+0xe37:
 77163fbb 8b11mov edx,dword ptr [ecx]
  ds:002b:41414141=

 0:010 r ecx

 ecx=41414141

 0:010 d ecx
 41414141  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
 41414151  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
 41414161  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
 41414171  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
 41414181  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
 41414191  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
 414141a1  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
 414141b1  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  

 POC included

 Stay Secure

 Regards
 Kaveh

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VLC media player MKV Parsing POC

2013-07-10 Thread Mario Vilas

On Wed, Jul 10, 2013 at 10:57 AM, kaveh ghaemmaghami 
kavehghaemmagh...@googlemail.com wrote:

 1.The crash you showed does not control eip
  (its not a stack-based bof)


And? You still need to control EIP or the exploit doesn't, you know,
actually work. :P


 2.not even arbitrary memory
 (check further instructions)


You posted only one instruction and it's a read operation, proving nothing.
You're either lazy or don't actually get what's going on.

-- 
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VLC media player MKV Parsing POC

2013-07-10 Thread kaveh ghaemmaghami

You're either lazy

i did

i  really don't appreciate your troll (with out any investigation
and analysis )

On Wed, Jul 10, 2013 at 3:03 AM, kaveh ghaemmaghami 
kavehghaemmagh...@googlemail.com wrote:

 Hello list,
 regarding to nonsense VLC post

 http://www.jbkempf.com/blog/post/2013/More-lies-from-Secunia?pub=0#pr

 1.we said that this was a crash, not an exploitable security issue

 and funny publication Comment

 You forget to mention most important thing: If Secunia Research is
 professional, why don't they provide you with working exploit? (in example
 EIP = 0x41414141) I'm sure company like VUPEN would do just that to prove
 they point. Isn't worth to point out on other sites? (e.g. netsec)
 I really like this 
 https://twitter.com/Secunia/status/...https://twitter.com/Secunia/status/337140449712156672
  you can spot _two_ lies - first they don't find ANY vuln, second their
 lying about timeframe.


 Here is your VUPEN  0x41414141


 ModLoad: 64fb 650d8000   C:\Program Files
 (x86)\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll

 (be8.f0c): Access violation - code c005 (first chance)
 First chance exceptions are reported before any exception handling.
 This exception may be expected and handled.
 eax=02b92a18 ebx=0089 ecx=41414141 edx=0010 esi=02bccbd8
 edi=00890178
 eip=77163fbb esp=04d1f324 ebp=04d1f348 iopl=0 nv up ei ng nz na po
 cy
 cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
 efl=00010283
 ntdll!RtlImageNtHeader+0xe37:
 77163fbb 8b11mov edx,dword ptr [ecx]
  ds:002b:41414141=

 0:010 g

 (be8.f0c): Access violation - code c005 (!!! second chance !!!)
 eax=02b92a18 ebx=0089 ecx=41414141 edx=0010 esi=02bccbd8
 edi=00890178
 eip=77163fbb esp=04d1f324 ebp=04d1f348 iopl=0 nv up ei ng nz na po
 cy
 cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
 efl=00010283
 ntdll!RtlImageNtHeader+0xe37:
 77163fbb 8b11mov edx,dword ptr [ecx]
  ds:002b:41414141=

 0:010 r ecx

 ecx=41414141

 0:010 d ecx
 41414141  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
 41414151  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
 41414161  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
 41414171  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
 41414181  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
 41414191  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
 414141a1  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
 414141b1  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  

 POC included

 Stay Secure

 Regards
 Kaveh

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VLC media player MKV Parsing POC

2013-07-10 Thread Źmicier Januszkiewicz

Mario,

As far as I see, the code snippet provided (the only insn) dereferences an
attacker-controlled value. What happens next is not really clear since it
is only one insn in the dump and I am too lazy to actually install VLC and
dig in, but it shows that you can at least control the contents of ECX.

If Kaveh would be so kind as to post the following insns in the stream, we
could see what this may lead to. If the next insn is, say, CALL [EDX+10h],
well, there you go -- you own the control flow.


2013/7/10 Mario Vilas mvi...@gmail.com

 On Wed, Jul 10, 2013 at 10:57 AM, kaveh ghaemmaghami 
 kavehghaemmagh...@googlemail.com wrote:

 1.The crash you showed does not control eip
  (its not a stack-based bof)


 And? You still need to control EIP or the exploit doesn't, you know,
 actually work. :P


 2.not even arbitrary memory
 (check further instructions)


 You posted only one instruction and it's a read operation, proving
 nothing. You're either lazy or don't actually get what's going on.

 --
 “There's a reason we separate military and the police: one fights
 the enemy of the state, the other serves and protects the people. When
 the military becomes both, then the enemies of the state tend to become the
 people.”

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] VLC media player MKV Parsing POC

2013-07-09 Thread kaveh ghaemmaghami

Hello list,
regarding to nonsense VLC post

http://www.jbkempf.com/blog/post/2013/More-lies-from-Secunia?pub=0#pr

1.we said that this was a crash, not an exploitable security issue

and funny publication Comment

You forget to mention most important thing: If Secunia Research is
professional, why don't they provide you with working exploit? (in example
EIP = 0x41414141) I'm sure company like VUPEN would do just that to prove
they point. Isn't worth to point out on other sites? (e.g. netsec)
I really like this
https://twitter.com/Secunia/status/...https://twitter.com/Secunia/status/337140449712156672
 you can spot _two_ lies - first they don't find ANY vuln, second their
lying about timeframe.


Here is your VUPEN  0x41414141


ModLoad: 64fb 650d8000   C:\Program Files
(x86)\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll

(be8.f0c): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02b92a18 ebx=0089 ecx=41414141 edx=0010 esi=02bccbd8
edi=00890178
eip=77163fbb esp=04d1f324 ebp=04d1f348 iopl=0 nv up ei ng nz na po
cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
efl=00010283
ntdll!RtlImageNtHeader+0xe37:
77163fbb 8b11mov edx,dword ptr [ecx]
 ds:002b:41414141=

0:010 g

(be8.f0c): Access violation - code c005 (!!! second chance !!!)
eax=02b92a18 ebx=0089 ecx=41414141 edx=0010 esi=02bccbd8
edi=00890178
eip=77163fbb esp=04d1f324 ebp=04d1f348 iopl=0 nv up ei ng nz na po
cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
efl=00010283
ntdll!RtlImageNtHeader+0xe37:
77163fbb 8b11mov edx,dword ptr [ecx]
 ds:002b:41414141=

0:010 r ecx

ecx=41414141

0:010 d ecx
41414141  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
41414151  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
41414161  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
41414171  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
41414181  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
41414191  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
414141a1  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  
414141b1  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  

POC included

Stay Secure

Regards
Kaveh


poc.mkv
Description: Binary data
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VLC media player MKV Parsing POC

Re: [Full-disclosure] VLC media player MKV Parsing POC

Re: [Full-disclosure] VLC media player MKV Parsing POC

Re: [Full-disclosure] VLC media player MKV Parsing POC

Re: [Full-disclosure] VLC media player MKV Parsing POC

[Full-disclosure] VLC media player MKV Parsing POC

6 matches

Site Navigation

Mail list logo

Footer information