Search the Community

# Exploit Title: Bsplayer HTTP Response BOF # Date: Jan 17 ,2015 # Exploit Author: Fady Mohamed Osman (@fady_osman) # Vendor Homepage: www.bsplayer.com # Software Link: http://www.bsplayer.com/bsplayer-english/download-free.html # Version: current (2.68). # Tested on: Windows 7 sp1 x86 version. # Exploit-db : http://www.exploit-db.com/author/?a=2986 # Youtube : https://www.youtube.com/user/cutehack3r Exploit: http://www.exploit-db.com/sploits/35841.tar.gz Bsplayer suffers from a buffer overflow vulnerability when processing the HTTP response when opening a URL. In order to exploit this bug I needed to load a dll with no null addresses and no safeseh ,ASLR or DEP. I noticed that one of the dlls that matches this criteria is (MSVCR71.dll) and it's loaded when I loaded an flv file over the network and that's why I'm sending a legitimate flv file first so later we can use the loaded dll. Also the space after the seh record is pretty small so what I did is that I added a small stage shell cdoe to add offset to esp so it points at the beginning of my buffer and then a jmp esp instruction to execute the actual shellcode. -- *Regards,* Fady Osman about.me/Fady_Osman <http://about.me/Fady_Osman> Source