Exploit the possiblities
Showing 26 - 50 of 924 RSS Feed

ActiveX Files

Heap Spraying - Active-X Controls Under Atatck
Posted Jan 17, 2014
Authored by Ashfaq Ansari

This is a whitepaper that discusses using heap sprays with vulnerable active-x controls.

tags | paper, activex
MD5 | 7b21cd751482e2d3247bda57d1a1cf23
Lorex Security DVR Active-X Buffer Overflow
Posted Jan 10, 2014
Authored by Pedro Ribeiro

Lorex Security DVR systems suffers from an active-x related buffer overflow vulnerability.

tags | advisory, overflow, activex
advisories | CVE-2014-1201
MD5 | 40fc8627f548e7485d2fd7dc68e1edc7
Microsoft Tagged Image File Format (TIFF) Integer Overflow
Posted Nov 27, 2013
Authored by sinn3r, temp66 | Site metasploit.com

This Metasploit module exploits a vulnerability found in Microsoft's Tagged Image File Format. It was originally discovered in the wild, targeting Windows XP and Windows Server 2003 users running Microsoft Office, specifically in the Middle East and South Asia region. The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a drawing in Microsoft Office, and how it gets calculated with user-controlled inputs, and stored in the EAX register. The 32-bit register will run out of storage space to represent the large value, which ends up being 0, but it still gets pushed as a dwBytes argument (size) for a HeapAlloc call. The HeapAlloc function will allocate a chunk anyway with size 0, and the address of this chunk is used as the destination buffer of a memcpy function, where the source buffer is the EXIF data (an extended image format supported by TIFF), and is also user-controlled. A function pointer in the chunk returned by HeapAlloc will end up being overwritten by the memcpy function, and then later used in OGL!GdipCreatePath. By successfully controlling this function pointer, and the memory layout using ActiveX, it is possible to gain arbitrary code execution under the context of the user.

tags | exploit, arbitrary, code execution, activex
systems | windows, xp
advisories | CVE-2013-3906
MD5 | 7840e627325a5c746a365b34d09b85a9
MS13-090 CardSpaceClaimCollection ActiveX Integer Underflow
Posted Nov 26, 2013
Authored by juan vazquez, temp66 | Site metasploit.com

This Metasploit module exploits a vulnerability on the CardSpaceClaimCollection class from the icardie.dll ActiveX control. The vulnerability exists while the handling of the CardSpaceClaimCollection object. CardSpaceClaimCollections stores a collection of elements on a SafeArray and keeps a size field, counting the number of elements on the collection. By calling the remove() method on an empty CardSpaceClaimCollection it is possible to underflow the length field, storing a negative integer. Later, a call to the add() method will use the corrupted length field to compute the address where write into the SafeArray data, allowing to corrupt memory with a pointer to controlled contents. This Metasploit module achieves code execution by using VBScript as discovered in the wild on November 2013 to (1) create an array of html OBJECT elements, (2) create holes, (3) create a CardSpaceClaimCollection whose SafeArray data will reuse one of the holes, (4) corrupt one of the legit OBJECT elements with the described integer overflow and (5) achieve code execution by forcing the use of the corrupted OBJECT.

tags | exploit, overflow, code execution, activex
advisories | CVE-2013-3918, OSVDB-99555
MD5 | 67794b47c6fcc01e6db48548eec65d27
Aladdin Knowledge Systems Ltd. Overflow
Posted Oct 16, 2013
Authored by Blake

Aladdin Knowledge Systems Ltd. PrivAgent active-x control overflow exploit.

tags | exploit, overflow, activex
MD5 | 58583ce4f072ec68995aa572b75f04fb
Indusoft Thin Client 7.1 Buffer Overflow
Posted Oct 10, 2013
Authored by Blake

Indusoft Thin Client version 7.1 suffers from an active-x buffer overflow vulnerability.

tags | exploit, overflow, activex
MD5 | 5ae16a4df4d34ac0404bcb351055fc90
SIEMENS Solid Edge ST4 SEListCtrlX ActiveX Remote Code Execution
Posted Oct 2, 2013
Authored by rgod, juan vazquez | Site metasploit.com

This Metasploit module exploits the SEListCtrlX ActiveX installed with the SIEMENS Solid Edge product. The vulnerability exists on several APIs provided by the control, where user supplied input is handled as a memory pointer without proper validation, allowing an attacker to read and corrupt memory from the target process. This Metasploit module abuses the methods NumChildren() and DeleteItem() in order to achieve memory info leak and remote code execution respectively. This Metasploit module has been tested successfully on IE6-IE9 on Windows XP SP3 and Windows 7 SP1, using Solid Edge 10.4.

tags | exploit, remote, code execution, activex
systems | windows, xp, 7
advisories | OSVDB-93696
MD5 | 28ccc8a6b178310297fa38093831ae80
SolarWinds Monitor 6.0 Buffer Overflow
Posted Sep 23, 2013
Authored by Blake

SolarWinds Server and Application Monitor version 6.0 suffers from an active-x related buffer overflow vulnerability.

tags | exploit, overflow, activex
MD5 | a17c432125d326050ffaf3c546b88f44
McKesson Active-X 11.0.10.38 Enumeration
Posted Sep 19, 2013
Authored by Blake

McKesson active-x control version 11.0.10.38 suffers from a variable enumeration vulnerability.

tags | exploit, activex
MD5 | 7fc9cb81d75a7a73baadd00098a2af2d
Apple Security Advisory 2013-09-18-1
Posted Sep 18, 2013
Authored by Apple | Site apple.com

Apple Security Advisory 2013-09-18-1 - iTunes 11.1 is now available. A memory corruption issue existed in the iTunes ActiveX control. This issue was addressed through additional bounds checking.

tags | advisory, activex
systems | apple
advisories | CVE-2013-1035
MD5 | f3ff9a58395bdbf41d6e899302198eed
Mitsubishi MC-WorkX 8.02 File Execution
Posted Sep 16, 2013
Authored by Blake

Mitsubishi MC-WorkX version 8.02 active-x control file execution proof of concept exploit.

tags | exploit, activex, proof of concept
MD5 | db8a878b6e4747b66bfdd97898cb3f97
KingView 6.53 Active-X File Copy
Posted Sep 5, 2013
Authored by Blake

KingView version 6.53 has an insecure active-x control that allows for arbitrary file copying.

tags | exploit, arbitrary, activex
MD5 | e14559c44d143bb426239e7c6f703b53
KingView 6.53 Active-X File Overwrite / Creation
Posted Sep 5, 2013
Authored by Blake

KingView version 6.53 has an insecure active-x control that allows for arbitrary file creation and overwrite.

tags | exploit, arbitrary, activex
MD5 | d48d388c1554e21d38206d0028d68f1c
HP LoadRunner lrFileIOService ActiveX WriteFileString Remote Code Execution
Posted Sep 4, 2013
Authored by juan vazquez, Brian Gorenc | Site metasploit.com

This Metasploit module exploits a vulnerability on the lrFileIOService ActiveX, as installed with HP LoadRunner 11.50. The vulnerability exists in the WriteFileString method, which allow the user to write arbitrary files. It's abused to drop a payload embedded in a dll, which is later loaded through the Init() method from the lrMdrvService control, by abusing an insecure LoadLibrary call. This Metasploit module has been tested successfully on IE8 on Windows XP. Virtualization based on the Low Integrity Process, on Windows Vista and 7, will stop this module because the DLL will be dropped to a virtualized folder, which isn't used by LoadLibrary.

tags | exploit, arbitrary, activex
systems | windows, xp, vista
advisories | CVE-2013-4798, OSVDB-95642
MD5 | 5f7630ca27a1c56598761f3e375ec40d
HP LoadRunner lrFileIOService ActiveX Remote Code Execution
Posted Aug 29, 2013
Authored by rgod, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability on the lrFileIOService ActiveX, as installed with HP LoadRunner 11.50. The vulnerability exists in the WriteFileBinary method where user provided data is used as a memory pointer. This Metasploit module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7, using the LrWebIERREWrapper.dll 11.50.2216.0. In order to bypass ASLR the no aslr compatible module msvcr71.dll is used. This one is installed with HP LoadRunner.

tags | exploit, activex
systems | windows, xp
advisories | CVE-2013-2370, OSVDB-95640
MD5 | 8abb525c779efa76355554b3961f0bbc
PE (Portable Executable) File Format
Posted Aug 12, 2013
Authored by Nytro

This paper describes the PE (Portable Executable) file format used by Windows executables (.exe), dynamic link libraries (.dll) and other files: system drivers or ActiveX controls. It is written in Romanian.

tags | paper, activex
systems | windows
MD5 | 94fe1be7ede3e08b42807a1bb160574f
StarUML Buffer Overflow
Posted Aug 3, 2013
Authored by d3b4g

StarUML suffers from an active-x buffer overflow vulnerability in WinGraphviz.dll.

tags | exploit, overflow, activex
MD5 | cbc4114a37cbb858e1a296075a0507e5
TEC-IT TBarCode OCX ActiveX Control Buffer Overflow
Posted Aug 1, 2013
Authored by d3b4g

TEC-IT TBarCode OCX active-x control TBarCode4.ocx version 4.1.0 buffer overflow proof of concept exploit.

tags | exploit, overflow, activex, proof of concept
MD5 | 10c67c0fe953ce67a8329a27d7bfb86f
AXIS Media Control Active-X File Corruption
Posted Jun 13, 2013
Authored by Javier Repiso Sanchez

AXIS Media Control suffers from an ActiveX file corruption vulnerability. The vulnerability exists due to the ActiveX control including insecure "StartRecord()", "SaveCurrentIm age()" and "StartRecordMedia()" methods in "AxisMediaControlEmb.dll" DLL. This can be exploited to corrupt or create arbitrary files in the context of the current user.

tags | exploit, arbitrary, activex
advisories | CVE-2013-3543
MD5 | 36ad1514b9f0d50976d19afba8f716c9
Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow
Posted Jun 10, 2013
Authored by sinn3r, h1ch4m | Site metasploit.com

This Metasploit module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX component, specifically PDF_IN_1.ocx. When a long string of data is given to the ConnectToSynactis function, which is meant to be used for the ldCmdLine argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry class pointer saved on the stack, and results in arbitrary code execution under the context of the user. Also note that since the WinExec function is used to call the default browser, you must be aware that: 1) The default must be Internet Explorer, and 2) When the exploit runs, another browser will pop up. Synactis PDF In-The-Box is also used by other software such as Logic Print 2013, which is how the vulnerability was found and publicly disclosed.

tags | exploit, arbitrary, code execution, activex
advisories | OSVDB-93754
MD5 | 5b622ead68d5bad6cb85265cc3c94c2d
Java Applet Driver Manager Privileged toString() Remote Code Execution
Posted Jun 10, 2013
Authored by juan vazquez, James Forshaw | Site metasploit.com

This Metasploit module abuses the java.sql.DriverManager class where the toString() method is called over user supplied classes, from a doPrivileged block. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play on IE throw a specially crafted JNLP file. This bypass is applied mainly to IE, when Java Web Start can be launched automatically throw the ActiveX control. Otherwise the applet is launched without click-to-play bypass.

tags | exploit, java, web, activex
advisories | CVE-2013-1488, OSVDB-91472
MD5 | 8047941c6cbc310111bf58285aeab37e
Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution
Posted Jun 2, 2013
Authored by rgod, juan vazquez | Site metasploit.com

This Metasploit modules exploits a vulnerability found in the Oracle WebCenter Content CheckOutAndOpenControl ActiveX. This vulnerability exists in openWebdav(), where user controlled input is used to call ShellExecuteExW(). This Metasploit module abuses the control to execute an arbitrary HTA from a remote location. This Metasploit module has been tested successfully with the CheckOutAndOpenControl ActiveX installed with Oracle WebCenter Content 11.1.1.6.0.

tags | exploit, remote, arbitrary, activex
advisories | CVE-2013-1559, OSVDB-92386
MD5 | 30727e35d1bbe3f0a3ab33a41f925df4
SIEMENS Solid Edge ST4 SEListCtrlX Code Execution
Posted May 28, 2013
Authored by rgod | Site retrogod.altervista.org

SIEMENS Solid Edge ST4 SEListCtrlX active-x control SetItemReadOnly suffers from an arbitrary memory rewrite remote code execution vulnerability. Proof of concept included.

tags | exploit, remote, arbitrary, code execution, activex, proof of concept
systems | linux
MD5 | a118dcd112785d12a39adf1ac5528e02
IBM SPSS SamplePower C1Tab ActiveX Heap Overflow
Posted May 28, 2013
Authored by Alexander Gavrun, juan vazquez | Site metasploit.com

This Metasploit module exploits a heap based buffer overflow in the C1Tab ActiveX control, while handling the TabCaption property. The affected control can be found in the c1sizer.ocx component as included with IBM SPSS SamplePower 3.0. This Metasploit module has been tested successfully on IE 6, 7 and 8 on Windows XP SP3 and IE 8 on Windows 7 SP1.

tags | exploit, overflow, activex
systems | windows, xp, 7
advisories | CVE-2012-5946, OSVDB-92845
MD5 | ce698c98303b4f1491ee2e51696534d3
SIEMENS Solid Edge ST4 WebPartHelper Command Execution
Posted May 27, 2013
Authored by rgod | Site retrogod.altervista.org

SIEMENS Solid Edge ST4 WebPartHelper active-x control RFMSsvs!JShellExecuteEx suffers from a remote command execution vulnerability. Proof of concept included.

tags | exploit, remote, activex, proof of concept
systems | linux
MD5 | bdd9cbfc1d8fd0e77ab4e70228ce55c6
Page 2 of 37
Back12345Next

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    4 Files
  • 19
    Nov 19th
    2 Files
  • 20
    Nov 20th
    9 Files
  • 21
    Nov 21st
    14 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close