środa, 16 stycznia 2019

Exploiting BlazeDVD

I wasn't very satisfied after my last case so I decided to check another software. This time I tried to exploit BlazeDVD. Below you will find few details about it. Here we go...
If you would like to check the software you can find it here:

Just like before - I used Windows 7, ImmunityDbg with mona.py and python (installed on Windows as well).

To start, just open BlazeDVD then open ImmunityDbg and attach it to the target software:


We are here:

Our skeleton poc is pretty similar to the one mentioned in the last post:


Loading to BlazeDVD:

Good results. It's time to count...


And we are here:

(To be honest: first I was looking for some SEH overflow but after a while I tried another approach. You'll see below.) So: right-click on ESP and Follow in Dump:

So: I used !mona.py jmp -r esp to find correct value for our JuMP (to ESP, instead of BBBB):


In the poc code decided to use the address for PUSH ESP with RET. Payload I tried was generated in a very similar way that I defined in venome.sh script (you can check it here). Now with netcat prepared to receive connection from remote host(s on port 443/tcp) I started BlazeDVD again to upload our new created list8.plf:


It's done! :)

See you next time.


Brak komentarzy:

Prześlij komentarz