CVE-2008-4654 PoC — VLC媒体播放器TY文件处理栈溢出漏洞

Source

https://github.com/KernelErr/VLC-CVE-2008-4654-Exploit

Associated Vulnerability

Title:VLC媒体播放器TY文件处理栈溢出漏洞 (CVE-2008-4654)
Description:Stack-based buffer overflow in the parse_master function in the Ty demux plugin (modules/demux/ty.c) in VLC Media Player 0.9.0 through 0.9.4 allows remote attackers to execute arbitrary code via a TiVo TY media file with a header containing a crafted size value.

Description

An EXP could run on Windows x64 against CVE-2008-4654.

Readme

# VLC-CVE-2008-4654-Exploit
Well, it's just an old vulnerability whose CVE number is CVE-2008-4654. This vulnerability is caused by Out of Memory at line 1650 of modules/demux/ty.c.
```
stream_Read(p_demux->s, mst_buf, 8 + i_map_size);
```
When I downloaded the EXP from other websites, I found that it doesn't work correctly on my Windows 7 Ultimate x64. So I change the return address from 0x68f0cfad to 0x6a314b52, then it works!

Old:
```
0x68f0cfad : jmp esp 
{PAGE_EXECUTE_READ} [libqt4_plugin.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
```

After I found this module doesn't exist, I changed into:
```
0x6a314b52 : push esp # ret
{PAGE_EXECUTE_READ} [libvlc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
```

It works on VLC 0.9.4. Have fun!

File Snapshot


 [4.0K]  /data/pocs/baa7eeba68ea48ab56ba14ae5b817f6a1b78566c
├── [3.2K]  CVE-2008-4654-Exploit.py
└── [ 778]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!