The proof of concept of the vulnerability has been released on December 9, 2011, and no further announcement from CyberLink. I tried to coordinate the issue until they didn’t contact me anymore. A week after our last email, they updated the product, and  yes it’s Power2Go 8. How do they know that the product is safe without letting me to check again?

The application itself is still vulnerable to stack buffer overflow as we posted earlier here. This morning, a good friend from Metasploit, mr_me, sent me an email and asking why I didn’t get a shell from this POC. He also attached his working exploit script, and working flawlessly on Windows 7, awesome!

I stated him that I already managed to get a shell on Power2Go 7 (build 196), but can’t find any reliable jump address on Power2Go 8, because it’s a unicode stack overflow, you will face a very limited address regarding jump address. He submitted his working exploit to Metasploit Dev Team so it will be added to Metasploit as well.

So, here is the POC for Power2Go 7:
http://pastebin.com/CXJ5qsz6

Looking for Power2Go 8 exploit? Wait until mr_me’s pull request is accepted by the Metasploit team, it will automatically push to your Metasploit as well

We don’t have any information if the vulnerability is being exploited.

Related Post

• SEH Based Stack Overflow – The Basic
• ScriptFTP <=3.3 Remote Buffer Overflow Exploit (MSF)
• ScriptFTP <=3.3 Remote Buffer Overflow Exploit (0day)
• Aviosoft DTV Player 1.x Stack Buffer Overflow
• BlazeVideo HDTV Player 6.x Buffer Overflow (another version)