Aerosol Posted January 20, 2015 Report Share Posted January 20, 2015 # Exploit Title: Bsplayer HTTP Response BOF# Date: Jan 17 ,2015# Exploit Author: Fady Mohamed Osman (@fady_osman)# Vendor Homepage: www.bsplayer.com# Software Link: http://www.bsplayer.com/bsplayer-english/download-free.html# Version: current (2.68).# Tested on: Windows 7 sp1 x86 version.# Exploit-db : http://www.exploit-db.com/author/?a=2986# Youtube : https://www.youtube.com/user/cutehack3rExploit: http://www.exploit-db.com/sploits/35841.tar.gzBsplayer suffers from a buffer overflow vulnerability when processing theHTTP response when opening a URL. In order to exploit this bug I needed toload a dll with no null addresses and no safeseh ,ASLR or DEP. I noticedthat one of the dlls that matches this criteria is (MSVCR71.dll) and it'sloaded when I loaded an flv file over the network and that's why I'msending a legitimate flv file first so later we can use the loaded dll.Also the space after the seh record is pretty small so what I did is that Iadded a small stage shell cdoe to add offset to esp so it points at thebeginning of my buffer and then a jmp esp instruction to execute the actualshellcode.-- *Regards,*Fady Osmanabout.me/Fady_Osman <http://about.me/Fady_Osman>Source Quote Link to comment Share on other sites More sharing options...
