I wasn't very satisfied after my last case so I decided to check another software. This time I tried to exploit BlazeDVD. Below you will find few details about it. Here we go...
If you would like to check the software you can find it here:
Just like before - I used Windows 7, ImmunityDbg with mona.py and python (installed on Windows as well).
To start, just open BlazeDVD then open ImmunityDbg and attach it to the target software:
Our skeleton poc is pretty similar to the one mentioned in the last post:
Loading to BlazeDVD:
Good results. It's time to count...
And we are here:
(To be honest: first I was looking for some SEH overflow but after a while I tried another approach. You'll see below.) So: right-click on ESP and Follow in Dump:
So: I used !mona.py jmp -r esp to find correct value for our JuMP (to ESP, instead of BBBB):
In the poc code decided to use the address for PUSH ESP with RET. Payload I tried was generated in a very similar way that I defined in venome.sh script (you can check it here). Now with netcat prepared to receive connection from remote host(s on port 443/tcp) I started BlazeDVD again to upload our new created list8.plf:
It's done! :)
See you next time.