Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
..
Failed to load latest commit information.
README.md
description.txt
poc_minimized_7cfee7d5d2768b2f5104395c2bdead2c-20-0x246c8bff.mrd
poc_runcmd_7cfee7d5d2768b2f5104395c2bdead2c-20-0x246c8bff.mrd

README.md

CVE-2018-18695

Information

Software    : Report Designer
Version     : 5.0
Environment : Windows 10 Pro, Windows 10 Edu

Proof of Concept

eax=02ab67ff ebx=00bf5560 ecx=02ab67ff edx=0018aaac esi=02a755e8 edi=0018a8b4
eip=61616161 esp=00189e64 ebp=00189e6c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202

Exploitation

It is possible to control the EIP register by dragging and dropping malicious files into the RD viewer. As this SW has no DEP, ASLR and CFG, you can easily exploit it with shellcode.