# Exploit Title: Bsplayer HTTP Response BOF
# Date: Jan 17 ,2015
# Exploit Author: Fady Mohamed Osman (@fady_osman)
# Vendor Homepage: www.bsplayer.com
# Software Link: http://www.bsplayer.com/bsplayer-english/download-free.html
# Version: current (2.68).
# Tested on: Windows 7 sp1 x86 version.
# Exploit-db : http://www.exploit-db.com/author/?a=2986
# Youtube : https://www.youtube.com/user/cutehack3r
Exploit: http://www.exploit-db.com/sploits/35841.tar.gz
Bsplayer suffers from a buffer overflow vulnerability when processing the
HTTP response when opening a URL. In order to exploit this bug I needed to
load a dll with no null addresses and no safeseh ,ASLR or DEP. I noticed
that one of the dlls that matches this criteria is (MSVCR71.dll) and it's
loaded when I loaded an flv file over the network and that's why I'm
sending a legitimate flv file first so later we can use the loaded dll.
Also the space after the seh record is pretty small so what I did is that I
added a small stage shell cdoe to add offset to esp so it points at the
beginning of my buffer and then a jmp esp instruction to execute the actual
shellcode.
--
*Regards,*
Fady Osman
about.me/Fady_Osman
<http://about.me/Fady_Osman>