AoA MP4 Converter version 4.1.2 suffers from an overflow vulnerability.
cd63ce9472faafdf4e2e783946b14d6f167f018ab91f2599cfb2ebd6900462a4
AoA Audio Extractor Basic version 2.3.7 suffers from an overflow vulnerability.
dcf9cf1e13d58871d2e0e4bc3827849243e29adbcd9d4d52281ed0f2d1705f6c
AoA DVD Creator version 2.6.2 suffers from an overflow vulnerability.
2f31adef0c26503f7dcc55055e82e81b9c030906ddfc9884aac7a7f920f2863e
This Metasploit module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 12.0.0.43. By supplying a specially crafted swf file it is possible to trigger an integer underflow in several avm2 instructions, which can be turned into remote code execution under the context of the user, as exploited in the wild in February 2014. This Metasploit module has been tested successfully with Adobe Flash Player 11.7.700.202 on Windows XP SP3, Windows 7 SP1 and Adobe Flash Player 11.3.372.94 on Windows 8 even when it includes rop chains for several Flash 11 versions, as exploited in the wild.
594482f5a1c495d45be1ca68abe48c4f709881980182d2ec20827c5366645e8c
This Metasploit module exploits a type confusion vulnerability found in the ActiveX component of Adobe Flash Player. This vulnerability was found exploited in the wild in November 2013. This Metasploit module has been tested successfully on IE 6 to IE 10 with Flash 11.7, 11.8 and 11.9 prior to 11.9.900.170 over Windows XP SP3 and Windows 7 SP1.
2547432fd02f1ba4aff29ae93a0c14c41a56c95f4cec7e25e1165d0846aa03ec
This Metasploit module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 11.5.502.149. By supplying a specially crafted swf file with special regex value, it is possible to trigger an memory corruption, which results in remote code execution under the context of the user, as exploited in the wild in February 2013. This Metasploit module has been tested successfully with Adobe Flash Player 11.5 before 11.5.502.149 on Windows XP SP3 and Windows 7 SP1 before MS13-063, since it takes advantage of a predictable SharedUserData in order to leak ntdll and bypass ASLR.
b765e1a53957bbf2df1ce33a8e36732231faa2f5864b98a4ceb6d3e0804e069a
This Metasploit module abuses the kxClientDownload.ocx ActiveX control distributed with WellingTech KingScada. The ProjectURL property can be abused to download and load arbitrary DLLs from arbitrary locations, leading to arbitrary code execution, because of a dangerous usage of LoadLibrary. Due to the nature of the vulnerability, this module will work only when Protected Mode is not present or not enabled.
ad47b03cb77be889b47d699cea4b847b22b73010c94c1218576856423018df63
MW6 Technologies has various active-x controls that suffer from buffer overflow vulnerabilities. Proof of concept code is included.
b3db5798c19a3d2d9c36503ff3c6adae47330561e39499f1617feed1f951c20c
DaumGame active-x control versions 1.1.0.5 and 1.1.0.4 suffer from a buffer overflow vulnerability. Proof of concept code included.
700de7f082a11cf764630d887c017c3cbc2790e1de57e8121f8094354020695e
This is a whitepaper that discusses using heap sprays with vulnerable active-x controls.
182912d0e8bbbc850abf4281ee8356d5767b5cb9c7194c7bbfc2b5eab415ddae
Lorex Security DVR systems suffers from an active-x related buffer overflow vulnerability.
a54d0f52ae58b40ee40061c7e9c569e51ba1726893d2ddd6e053141f37699907
This Metasploit module exploits a vulnerability found in Microsoft's Tagged Image File Format. It was originally discovered in the wild, targeting Windows XP and Windows Server 2003 users running Microsoft Office, specifically in the Middle East and South Asia region. The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a drawing in Microsoft Office, and how it gets calculated with user-controlled inputs, and stored in the EAX register. The 32-bit register will run out of storage space to represent the large value, which ends up being 0, but it still gets pushed as a dwBytes argument (size) for a HeapAlloc call. The HeapAlloc function will allocate a chunk anyway with size 0, and the address of this chunk is used as the destination buffer of a memcpy function, where the source buffer is the EXIF data (an extended image format supported by TIFF), and is also user-controlled. A function pointer in the chunk returned by HeapAlloc will end up being overwritten by the memcpy function, and then later used in OGL!GdipCreatePath. By successfully controlling this function pointer, and the memory layout using ActiveX, it is possible to gain arbitrary code execution under the context of the user.
36cbcba744d7659568ae499cb8f62964f839c74b64b5def580d9440a661806da
This Metasploit module exploits a vulnerability on the CardSpaceClaimCollection class from the icardie.dll ActiveX control. The vulnerability exists while the handling of the CardSpaceClaimCollection object. CardSpaceClaimCollections stores a collection of elements on a SafeArray and keeps a size field, counting the number of elements on the collection. By calling the remove() method on an empty CardSpaceClaimCollection it is possible to underflow the length field, storing a negative integer. Later, a call to the add() method will use the corrupted length field to compute the address where write into the SafeArray data, allowing to corrupt memory with a pointer to controlled contents. This Metasploit module achieves code execution by using VBScript as discovered in the wild on November 2013 to (1) create an array of html OBJECT elements, (2) create holes, (3) create a CardSpaceClaimCollection whose SafeArray data will reuse one of the holes, (4) corrupt one of the legit OBJECT elements with the described integer overflow and (5) achieve code execution by forcing the use of the corrupted OBJECT.
58f2175e1ed88e1751853e1d2aa79f7740fb2c4be64b98ebf51299e06cc219c0
Aladdin Knowledge Systems Ltd. PrivAgent active-x control overflow exploit.
78e1f9941ee243de2c6fa4f4dd4d806f45dbe201a8b08daf54b144678052bb4f
Indusoft Thin Client version 7.1 suffers from an active-x buffer overflow vulnerability.
c00e0788c5d6462b72882a1157510d0caed575ccdad96d8ed169da385363cbcc
This Metasploit module exploits the SEListCtrlX ActiveX installed with the SIEMENS Solid Edge product. The vulnerability exists on several APIs provided by the control, where user supplied input is handled as a memory pointer without proper validation, allowing an attacker to read and corrupt memory from the target process. This Metasploit module abuses the methods NumChildren() and DeleteItem() in order to achieve memory info leak and remote code execution respectively. This Metasploit module has been tested successfully on IE6-IE9 on Windows XP SP3 and Windows 7 SP1, using Solid Edge 10.4.
e226e603a3f8f22c21c0f2712cbfeaa7a0838b3fecca9d66915509a6db1d2185
SolarWinds Server and Application Monitor version 6.0 suffers from an active-x related buffer overflow vulnerability.
841395a87d46f8aba7dd14551684fe16b9e3de8cd2cb1433a295058e36790214
McKesson active-x control version 11.0.10.38 suffers from a variable enumeration vulnerability.
eb5a347719e20933c95310d59d0af5d7d0a513bcbf2f6ec63b483b1c7dc9b822
Apple Security Advisory 2013-09-18-1 - iTunes 11.1 is now available. A memory corruption issue existed in the iTunes ActiveX control. This issue was addressed through additional bounds checking.
46fc7b5eb3fefe13a291247cae855e3a91a0a0bd612ea62733b12ce2dc1e80a2
Mitsubishi MC-WorkX version 8.02 active-x control file execution proof of concept exploit.
051bf2d457fb3478224730c5a764957e57768528962485ff7c0f290f39f09bec
KingView version 6.53 has an insecure active-x control that allows for arbitrary file copying.
b16413ec1271c3727d0068f3aaa5e74cf60deb2c6fcbdfbe249e49df7374ffa2
KingView version 6.53 has an insecure active-x control that allows for arbitrary file creation and overwrite.
785c1ed4650168b152eb1ff73cd68727e7dd22759c9a9b2913d8f8f3b8aa9c10
This Metasploit module exploits a vulnerability on the lrFileIOService ActiveX, as installed with HP LoadRunner 11.50. The vulnerability exists in the WriteFileString method, which allow the user to write arbitrary files. It's abused to drop a payload embedded in a dll, which is later loaded through the Init() method from the lrMdrvService control, by abusing an insecure LoadLibrary call. This Metasploit module has been tested successfully on IE8 on Windows XP. Virtualization based on the Low Integrity Process, on Windows Vista and 7, will stop this module because the DLL will be dropped to a virtualized folder, which isn't used by LoadLibrary.
4190aaee2f0f7797aa2729616b04019ec0f364bcd4a09603637a82a20624f5f6
This Metasploit module exploits a vulnerability on the lrFileIOService ActiveX, as installed with HP LoadRunner 11.50. The vulnerability exists in the WriteFileBinary method where user provided data is used as a memory pointer. This Metasploit module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7, using the LrWebIERREWrapper.dll 11.50.2216.0. In order to bypass ASLR the no aslr compatible module msvcr71.dll is used. This one is installed with HP LoadRunner.
a5e106a110e475d117b3500d373abbf472e7b81cec4cfdde2c8f9d7957853a9b
This paper describes the PE (Portable Executable) file format used by Windows executables (.exe), dynamic link libraries (.dll) and other files: system drivers or ActiveX controls. It is written in Romanian.
a2646c777b4db6e736b6d280dbe7880941e981053a622f50cc9a96c813f0425e