bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/16024.txt
Offensive Security d63de06c7a DB: 2022-11-10 
2776 changes to exploits/shellcodes/ghdb
2022-11-10 16:39:50 +00:00

95 lines
No EOL
2.4 KiB
Text
Raw Permalink Blame History

Source: http://aluigi.org/adv/fxscover_1-adv.txt
#######################################################################
Luigi Auriemma
Application: Microsoft Fax Cover Page Editor
http://windows.microsoft.com/en-US/windows-vista/Create-or-edit-a-fax-cover-page
Versions: <= 5.2.3790.3959
Platforms: Windows
Bug: double free
Exploitation: local
Date: 19 Jan 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Fax Cover Page Editor is a program for the viewing and editing of
various formats of fax cover files.
#######################################################################
======
2) Bug
======
fxscover.exe is available on Windows after the installation of the Fax
Service.
The various "Text" elements have a 16bit field that seems used to index
them and by default it has a negative value like 0x8001.
By using a positive value major than 0 and lower than the total number
of elements is possible to cause a problem during the freeing of the
allocated object.
The provided proof-of-concept demonstrates the possibility of executing
code immediately after the acknoledgement of the initial message box
when is called FXSCOVER!CDrawDoc::Remove by
FXSCOVER!CDrawDoc::DeleteContents.
Modifications:
00005098 FE CC // code execution starts from here
000093F5 01 04 // 16bit in little endian
000093F6 80 00
Alternatively is also possible to exploit the bug when the program gets
closed or another file is opened by modifying the 16 bit at offset
0x94a5 instead of the one at 0x93f5, so that the file will be
considered valid.
#######################################################################
===========
3) The Code
===========
DoS:
http://aluigi.org/poc/fxscover_1.cov
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/16024-fxscover_1.cov
Bind Shell:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/fxscover_1_bind28876.zip
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
Reference in a new issue View git blame Copy permalink