Jump to content
Aerosol

Bsplayer 2.68 - HTTP Response Buffer Overflow

By Aerosol, in Exploituri

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted 

# Exploit Title: Bsplayer HTTP Response BOF
# Date: Jan 17 ,2015
# Exploit Author: Fady Mohamed Osman (@fady_osman)
# Vendor Homepage: www.bsplayer.com
# Software Link: http://www.bsplayer.com/bsplayer-english/download-free.html
# Version: current (2.68).
# Tested on: Windows 7 sp1 x86 version.
# Exploit-db : http://www.exploit-db.com/author/?a=2986
# Youtube : https://www.youtube.com/user/cutehack3r

Exploit: http://www.exploit-db.com/sploits/35841.tar.gz

Bsplayer suffers from a buffer overflow vulnerability when processing the
HTTP response when opening a URL. In order to exploit this bug I needed to
load a dll with no null addresses and no safeseh ,ASLR or DEP. I noticed
that one of the dlls that matches this criteria is (MSVCR71.dll) and it's
loaded when I loaded an flv file over the network and that's why I'm
sending a legitimate flv file first so later we can use the loaded dll.
Also the space after the seh record is pretty small so what I did is that I
added a small stage shell cdoe to add offset to esp so it points at the
beginning of my buffer and then a jmp esp instruction to execute the actual
shellcode.


-- 

*Regards,*

Fady Osman
about.me/Fady_Osman
    <http://about.me/Fady_Osman>

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...