bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/18602.txt
Offensive Security d63de06c7a DB: 2022-11-10 
2776 changes to exploits/shellcodes/ghdb
2022-11-10 16:39:50 +00:00

92 lines
No EOL
2.5 KiB
Text
Raw Blame History

#######################################################################
Luigi Auriemma
Application: Epson EventManager
http://www.epson.com
Versions: <= 2.50
Platforms: Windows
Bug: Denial of Service
Exploitation: remote
Date: 14 Mar 2012
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Epson EventManager is a program started when the computer starts and
listens on port 2968 ("Network Scan" enabled by default), it allows to
automate some actions of the Epson scanners (like the scan&save button)
through the PushScan protocol.
#######################################################################
======
2) Bug
======
The secure strncpy function that copies the "x-protocol-version" string
in a 7 bytes buffer can be forced to (auto)terminate the program if
it's longer than that size and starts with "1.":
0163967F |> 53 PUSH EBX
01639680 |. 8B5C24 24 MOV EBX,DWORD PTR SS:[ESP+24]
01639684 |. 53 PUSH EBX
01639685 |. 50 PUSH EAX
01639686 |. E8 25F8FFFF CALL epnsm.01638EB0 ; parse "x-protocol-version" string
0163968B |. 83C4 08 ADD ESP,8
0163968E |. 83F8 01 CMP EAX,1
01639691 |. 0F85 FC000000 JNZ epnsm.01639793 ; version 1
01639697 |. 8B4C24 2C MOV ECX,DWORD PTR SS:[ESP+2C]
0163969B |. 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C]
0163969F |. 6A 06 PUSH 6
016396A1 |. 33C0 XOR EAX,EAX
016396A3 |. 52 PUSH EDX
016396A4 |. 8901 MOV DWORD PTR DS:[ECX],EAX
016396A6 |. 51 PUSH ECX
016396A7 |. 66:8941 04 MOV WORD PTR DS:[ECX+4],AX
016396AB |. E8 D0B5FFFF CALL epnsm.01634C80 ; secure strncpy
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/eeventmanager_1.dat
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18602.dat
nc SERVER 2968 < eeventmanager_1.dat
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
Reference in a new issue View git blame Copy permalink