And here’s the next one. A SEH-based Buffer Overflow - exploitable on all 32bit windows systems out there :-). The application does not validate (again, but in a different module) the length of the title value while loading the contents of a ProShow transition file (.pxt) which leads to a buffer overflow condition via an overwritten SEH chain:
The vulnerable function is called in the pshow.dnt, which is a rebased module, so the following addresses may be different on your system:
The function copies the value from EAX, which is the controlled “title” value, byte-by-byte, and finally fills up the stack until no space ist left anymore. This overwrites the SEH chain which means full application control:
All you have to do is to manipulate a .pxt file nearly the same way as a .pst file and open it using ProShow. Use the following PoC - script and insert the generated string into a .pxt file after the “title” identifier to trigger the vulnerability:
The limitation: A smaller space (around 170bytes) for your shellcode due to some repititions in the copy process, which adds a path to the input value like:
Anyways. Just to show that it is exploitable :-)
ProShow pwned the 4th time.