And here’s the next one. A SEH-based Buffer Overflow – exploitable on all 32bit windows systems out there :-). The application does not validate (again, but in a different module) the length of the title value while loading the contents of a ProShow transition file (.pxt) which leads to a buffer overflow condition via an overwritten SEH chain:
ia47-1
The vulnerable function is called in the pshow.dnt, which is a rebased module, so the following addresses may be different on your system:

The function copies the value from EAX, which is the controlled “title” value, byte-by-byte, and finally fills up the stack until no space ist left anymore. This overwrites the SEH chain which means full application control:
ia47-3
All you have to do is to manipulate a .pxt file nearly the same way as a .pst file and open it using ProShow. Use the following PoC – script and insert the generated string into a .pxt file after the “title” identifier to trigger the vulnerability:

The limitation: A smaller space (around 170bytes) for your shellcode due to some repititions in the copy process, which adds a path to the input value like:

Anyways. Just to show that it is exploitable 🙂

ProShow pwned the 4th time.

Photodex ProShow Producer Vulnerability #4: SEH-Based Buffer Overflow (.PXT)
Tagged on:         

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.