:. GOODFELLAS Security Research TEAM .:
:. http://goodfellas.shellcode.com.ar .:
Internal ID: VULWAR200706223
BarCodeAx.dll is a library included in the Barcode ActiveX software
package from the Company RKD:
(http://www.barcodetools.com/barcode/barcode-activex/barcode-activex.html)
Such package allows to manage the printing of different barcodes.
One of the BarcodeAx.dll exported methods is vulnerable to a stack
buffer overflow which can be remotely exploited.
The BeginPrint method fail to correctly check the size of the arguments
that receives, causing a stack buffer overflow.
Any application that uses the said ActiveX to control barcodes would be
exposed to remote code execution.
June 21, 2007 – Bug discovery
June 22, 2007 – Bug published
Vulnerable method.
Sub BeginPrint (
ByVal name As String
)
We need 656 bytes to overflow the buffer and rewrite EBP + EIP.
Reversing
7C97DF40 PUSH 0
7C97DF42 PUSH ESI
7C97DF43 CALL 7C97CDC9
7C97DF48 MOV EBX,[EBP+10]
7C97DF4B LEA EDI,[EBX-8]
7C97DF4E MOV [EBP-2C],EDI
7C97DF51 MOVZX EAX,WORD PTR [EDI] <— CRASH
7C97DF54 SHL EAX,3
7C97DF57 MOV [EBP-30],EAX
7C97DF5A PUSH 7C97E11C
7C97DF5F PUSH EDI
7C97DF60 PUSH ESI
7C97DF61 CALL 7C97CC6D
7C97DF66 TEST AL,AL
7C97DF68 JE 7C97E0BF
Registers
EIP 41414141
EAX C0040204
EBX 00407830 -> 003E977D
ECX 0013ECE8 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EDX 00150608 -> 7C98C500
EDI 00000000
ESI 001844CC -> 00180008
EBP 41414141
ESP 0013EBE8 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
–
GOODFELLAS (Shellcode Security Research)
http://goodfellas.shellcode.com.ar