Jump to content
Aerosol

Bsplayer 2.68 - HTTP Response Buffer Overflow

Recommended Posts

# Exploit Title: Bsplayer HTTP Response BOF
# Date: Jan 17 ,2015
# Exploit Author: Fady Mohamed Osman (@fady_osman)
# Vendor Homepage: www.bsplayer.com
# Software Link: http://www.bsplayer.com/bsplayer-english/download-free.html
# Version: current (2.68).
# Tested on: Windows 7 sp1 x86 version.
# Exploit-db : http://www.exploit-db.com/author/?a=2986
# Youtube : https://www.youtube.com/user/cutehack3r

Exploit: http://www.exploit-db.com/sploits/35841.tar.gz

Bsplayer suffers from a buffer overflow vulnerability when processing the
HTTP response when opening a URL. In order to exploit this bug I needed to
load a dll with no null addresses and no safeseh ,ASLR or DEP. I noticed
that one of the dlls that matches this criteria is (MSVCR71.dll) and it's
loaded when I loaded an flv file over the network and that's why I'm
sending a legitimate flv file first so later we can use the loaded dll.
Also the space after the seh record is pretty small so what I did is that I
added a small stage shell cdoe to add offset to esp so it points at the
beginning of my buffer and then a jmp esp instruction to execute the actual
shellcode.


--

*Regards,*

Fady Osman
about.me/Fady_Osman
<http://about.me/Fady_Osman>

Source

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...