Photodex ProShow Producer Buffer Overflow Vulnerability Analysis

# Exploit Title: Photodex ProShow Producer v5.0.3256 Local Buffer Overflow Vulnerability
# Version: v5.0.3256
# Author: Julien Ahrens
# Homepage: http://www.inshell.net
# Software Link: http://www.photodex.com
# Tested on: Windows XP SP3 Professional German
# Howto: Place file into appdir-> Launch
1. Copy the load file to the installation directory.
2. load the application with ollydbg. For the conditional breakpoint under CreateFileA, bp CreateFileA, [STRING [esp + 4] = "C: \ Program Files \ Photodex \ ProShow Producer \ load ", F9 run the Program, and the Program is paused.
 
3. Run F9 on the breakpoint under ReadFile and execute the shellcode read operation.
 
4. After Ctrl + F9, The shellcode reads the memory space, finds the meaningful code, and downloads the memory access breakpoint, as shown in. Run F9 and check whether data is written to the stack during each interruption.

5. For the first disconnection, click here to determine whether to press enter to wrap the line and delete the memory breakpoint.
10021EE1/74 09 je short if.10021EEC
10021EE3 | 3C 0D cmp al, 0D
10021EE5 | 74 05 je short if.10021EEC
10021EE7 | 46 INC ESI
10021EE8 | 3BF1 cmp esi, ECX
10021EEA ^ | 7C F0 jl short if.10021EDC
10021EEC \ 8BFE mov edi, ESI
Select 10021EEC, press F4, and reset the memory write breakpoint. F9 execution, the program is paused to the following position,

Www.2cto.com
 
6. Data is written to the stack cyclically at the interrupt position of 102163. We can see that the data in the stack has been overwritten, And the overwrite position is beyond the stack address range. An exception occurs, and the overflow has occurred.
Summary:
Shellcode is not executed successfully. If you are interested, continue the analysis.
Overflow occurs because memcpy is called at 10021F03 and the target buffer zone and write size are not correctly verified. As a result, the buffer overflow overwrites the return address.
The decompilation code at 10021F03 is as follows (only the position we care about is intercepted ):
V13 = OpenFile (FileName, & ReOpenBuff, 0x40u); // open the load file
V14 = v13;
If (v13! =-1) // determines whether the file is successfully opened.
{
V15 = llseek (v13, 0, 2); // move the read/write location to the end of the file
V16 = v15;
V32 = v15;
Llseek (v14, 0, 0 );
V17 = (void *) NewMemoryCheckMemAllocLocal (v16, (int) "LoadPlug", (int) "if. c", 4094 );
V18 = v17;
V33 = v17;
If (v17)
{
If (hread (v14, v17, v16) = v16) // read the file content into the memory
{
Lclose (v14 );
V19 = v32;
For (I = 0; I <v19; ++ I)
{
// The for loop is used to determine whether a carriage return line is entered.
For (j = I; j <v19; ++ j)
{
V22 = * (_ BYTE *) v18 + j );
If (v22 = 0xA)
Break;
If (v22 = 0xD)
Break;
}
// For the constructor file, run here j is the file size, and I is 0
If (j! = I)
{
Memcpy (& Dst, (char *) v33 + I, j-I );
 
It can be seen from the above that if the file is large enough (Dst is a local variable, up to 290 h), Dst overflow may occur.


Author huacm