River Past CamDo Buffer Overflow Vulnerability Allowing Arbitrary Code Execution

A buffer overflow vulnerability has been identified in River Past CamDo version 3.7.6. This vulnerability involves a structured exception handler (SEH) overwrite, allowing local attackers to execute arbitrary code. Exploitation requires crafting a payload that includes a 280-byte buffer, a non-standard exception handler (NSEH) jump instruction, and an SEH handler address that points to a 'pop-pop-ret' gadget. The malicious string must be placed in the 'Lame_enc.dll' name field. Successful exploitation can lead to the execution of a bind shell on port 3110.

Impact

Exploitation of this vulnerability allows for arbitrary code execution with the privileges of the user running River Past CamDo.

Reproduction

To reproduce this vulnerability, first create a payload using a Python script that writes a 280-byte buffer followed by an NSEH jump instruction and an SEH handler address into a text file. Then, open the CamDo application and navigate to the 'Options' menu under 'File'. Paste the contents of the text file into the 'Lame_enc.dll' name field and click 'OK'. This will trigger the buffer overflow and establish a bind shell on port 3110.