CVE-2014-0980
published 2014-02-11CVE-2014-0980: Buffer overflow in Poster Software PUBLISH-iT 3.6d allows remote attackers to execute arbitrary code via a crafted PUI file.
PriorityP357critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
40.36%
98.5th percentile
Buffer overflow in Poster Software PUBLISH-iT 3.6d allows remote attackers to execute arbitrary code via a crafted PUI file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| poster_software | publish_it | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Malicious .PUI files begin with the OLE2 compound document magic bytes D0 CF 11 E0 A1 B1 1A E1; alert on Publish-It opening .PUI files with oversized PDATA streams (offset 1082+ bytes before SEH overwrite). ↗
- →The SEH overwrite uses a pop/pop/ret gadget at 0x0046e95a inside Publish.EXE; look for EIP/SEH handler pointing into Publish.EXE .text section around that address. ↗
- →Exploit triggers only when 'Automatic Preview' is enabled in Publish-It; monitor process creation of Publish.EXE spawning child processes or executing shellcode after opening a .PUI file. ↗
- →EIP control value 0x04040404 observed in PoC crash; memory scanning for repeated 0x04 byte patterns in stack region can indicate exploitation attempt. ↗
- →Payload space is 377 bytes; NOP sled of 700 bytes prepended before shellcode in crafted .PUI; heuristic scan for large NOP sleds inside OLE2-structured .PUI files. ↗
- ·The vulnerability is client-side (locally exploitable); remote exploitation requires social engineering the victim into opening a crafted .PUI file. ↗
- ·Only Publish-It v3.6d for Win XP and Win 7 were confirmed tested; other versions are likely affected but unverified. ↗
- ·The SEH exploit variant requires 'Automatic Preview' to be enabled in the application settings to trigger the overflow. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Publish-It - '.PUI' Local Buffer Overflow (SEH) (Metasploit)
exploitdb·2015-03-19·CVSS 9.3
CVE-2014-0980 [CRITICAL] Publish-It - '.PUI' Local Buffer Overflow (SEH) (Metasploit)
Publish-It - '.PUI' Local Buffer Overflow (SEH) (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Publish-It PUI Buffer Overflow (SEH)',
'Description' => %q{
This module exploits a stack based buffer overflow in Publish-It when
processing a specially crafted .PUI file. This vulnerability could be
exploited by a remote attacker to execute arbitrary code on the target
machine by enticing a user of Publish-It to open a malicious .PUI file.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Daniel Kazimirow', # Original discovery
'Andrew Smith "jakx_"', # Exploit and MSF Module
],
'References' =>
[
[ 'OSVDB', '102911' ],
[ 'CVE', '2014-0980' ],
[ 'EDB', '31
Exploit-DB
Publish-It 3.6d - Local Buffer Overflow (SEH)
exploitdb·2015-02-18
CVE-2014-0980 Publish-It 3.6d - Local Buffer Overflow (SEH)
Publish-It 3.6d - Local Buffer Overflow (SEH)
---
#!/usr/bin/python
# Title: Publish-It 3.6d - Buffer Overflow (SEH) Exploit
# Date: 2/16/15
# Vulnerability: Discovery and PoC by Core Security http://www.exploit-db.com/exploits/31461/
# Exploit Author: jakx_ (Andrew Smith) of Sword & Shield Enterprise Security
# Vendor Homepage: http://www.postersw.com/
# Version: 3.6d
# Tested on: Win7 x64/x32
# CVE: 2014-0980
# Thanks: corelan, offsec
head="\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\xFE\xFF\xFF\xFF\x00\x00\x00\x00\xFE\xFF\xFF\xFF\x00\x00\x00\x00\x03\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\
Exploit-DB
Publish-It 3.6d - '.pui' Local Buffer Overflow (SEH)
exploitdb·2014-02-08
CVE-2014-0980 Publish-It 3.6d - '.pui' Local Buffer Overflow (SEH)
Publish-It 3.6d - '.pui' Local Buffer Overflow (SEH)
---
#!/usr/bin ruby env
# Exploit Title: Publish-It 3.6d - SEH Buffer Overflow
# Date: 8/2/2014
# Exploit Author: Muhamad Fadzil Ramli
# Vendor HomePage: https://www.postersw.com
# Software Link: https://www.postersw.com/publish3.exe
# Version App: v3.6d
# Tested on: Windows 7 x86 - Version 6.1.7600
# CVE:None
# Notes:-
# .pui sample file format taken from coresecurity p.o.c
# This exploit only work if "Automatic Preview" option is enable when opening a .pui file within the Publish-IT application.
filename = "motiv.pui"
pui =
"\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x3E\x00\x03\x00\xFE\xFF\x09\x00\x06\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00" +
Exploit-DB
Publish-It 3.6d - Buffer Overflow
exploitdb·2014-02-06·CVSS 9.3
CVE-2014-0980 [CRITICAL] Publish-It 3.6d - Buffer Overflow
Publish-It 3.6d - Buffer Overflow
---
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
Publish-It Buffer Overflow Vulnerability
1. *Advisory Information*
Title: Publish-It Buffer Overflow Vulnerability
Advisory ID: CORE-2014-0001
Advisory URL:
http://www.coresecurity.com/advisories/publish-it-buffer-overflow-vulnerability
Date published: 2014-02-05
Date of last update: 2014-02-05
Vendors contacted: Poster Software
Release mode: User release
2. *Vulnerability Information*
Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-0980
3. *Vulnerability Description*
Publish-It [1] is prone to a (client side) security vulnerability when
processing .PUI files. This vulnerability could be exploited
Metasploit
Publish-It PUI Buffer Overflow (SEH)
metasploit
Publish-It PUI Buffer Overflow (SEH)
Publish-It PUI Buffer Overflow (SEH)
This module exploits a stack based buffer overflow in Publish-It when processing a specially crafted .PUI file. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing a user of Publish-It to open a malicious .PUI file.
No writeups or analysis indexed.
http://osvdb.org/102911http://packetstormsecurity.com/files/125089http://seclists.org/fulldisclosure/2014/Feb/34http://secunia.com/advisories/56618http://www.coresecurity.com/advisories/publish-it-buffer-overflow-vulnerabilityhttp://www.exploit-db.com/exploits/31461http://www.securityfocus.com/archive/1/530943/100/0/threadedhttp://www.securityfocus.com/bid/65366https://exchange.xforce.ibmcloud.com/vulnerabilities/90989http://osvdb.org/102911http://packetstormsecurity.com/files/125089http://seclists.org/fulldisclosure/2014/Feb/34http://secunia.com/advisories/56618http://www.coresecurity.com/advisories/publish-it-buffer-overflow-vulnerabilityhttp://www.exploit-db.com/exploits/31461http://www.securityfocus.com/archive/1/530943/100/0/threadedhttp://www.securityfocus.com/bid/65366https://exchange.xforce.ibmcloud.com/vulnerabilities/90989
2014-02-11
Published