Skip to content

PassMoon/Nconvert_Vul

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 

Repository files navigation

Nconvert_Vul

Description

XnSoft NConvert 7.230 are vulnerable to Stack Buffer Overrun via a crafted .tiff file

Vendor

  • nconvert.exe

Affected Products

  • NConvert 7.230

Impact

  • Denial of Service

PoC

  • Denial of Service
    • cmdline used nconvert.exe -out tiff id_000003_00
Microsoft (R) Windows Debugger Version 10.0.17763.132 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: C:\Users\Chipset\Desktop\NConvert\nconvert.exe -out tiff id_000003_00
Starting directory: C:\Users\Chipset\Desktop\NConvert
Symbol search path is: srv*
Executable search path is: 
ModLoad: 00400000 0070c000   nconvert.exe
ModLoad: 77d70000 77f22000   ntdll.dll
ModLoad: 75b90000 75c80000   C:\WINDOWS\SysWOW64\KERNEL32.DLL
ModLoad: 77ad0000 77d52000   C:\WINDOWS\SysWOW64\KERNELBASE.dll
ModLoad: 758f0000 75996000   C:\WINDOWS\SysWOW64\apphelp.dll
ModLoad: 76350000 764f9000   C:\WINDOWS\SysWOW64\USER32.dll
ModLoad: 759a0000 759ba000   C:\WINDOWS\SysWOW64\win32u.dll
ModLoad: 76e00000 76e23000   C:\WINDOWS\SysWOW64\GDI32.dll
ModLoad: 76f00000 76fe2000   C:\WINDOWS\SysWOW64\gdi32full.dll
ModLoad: 77a40000 77ab9000   C:\WINDOWS\SysWOW64\msvcp_win.dll
ModLoad: 75ec0000 75fd2000   C:\WINDOWS\SysWOW64\ucrtbase.dll
ModLoad: 76150000 761cf000   C:\WINDOWS\SysWOW64\ADVAPI32.dll
ModLoad: 77970000 77a34000   C:\WINDOWS\SysWOW64\msvcrt.dll
ModLoad: 776a0000 77725000   C:\WINDOWS\SysWOW64\sechost.dll
ModLoad: 761f0000 7620a000   C:\WINDOWS\SysWOW64\bcrypt.dll
ModLoad: 77740000 777fa000   C:\WINDOWS\SysWOW64\RPCRT4.dll
ModLoad: 76ff0000 77695000   C:\WINDOWS\SysWOW64\SHELL32.dll
(114b8.1270c): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=194a0000 edx=00000000 esi=00ae2a60 edi=002f3000
eip=77e28957 esp=0019f7f4 ebp=0019f820 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2b:
77e28957 cc              int     3
0:000> g
ModLoad: 76dd0000 76df5000   C:\WINDOWS\SysWOW64\IMM32.DLL
ModLoad: 7c230000 7c2ac000   C:\Users\Chipset\Desktop\NConvert\Plugins\libwebp.dll
ModLoad: 7c2b0000 7c2d5000   C:\Users\Chipset\Desktop\NConvert\Plugins\libsharpyuv.dll
(114b8.1270c): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
*** ERROR: Module load completed but symbols could not be loaded for nconvert.exe
eax=00000001 ebx=00b164a8 ecx=00000002 edx=000001f8 esi=000029f0 edi=00b16128
eip=005e5968 esp=0019b158 ebp=0019b47c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
nconvert+0x1e5968:
005e5968 cd29            int     29h
0:000> !load msec; !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Stack Buffer Overrun (/GS Exception) starting at nconvert+0x00000000001e5968 (Hash=0x6647ade4.0x18a6c6ee)

An overrun of a protected stack buffer has been detected. This is considered exploitable, and must be fixed.

About

No description, website, or topics provided.

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors