New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OSVDB-93754: Synactis PDF In-The-Box ConnectToSynactic Stack Buffer ... #1916
Conversation
…er Overflow This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX component, specifically PDF_IN_1.ocx. When a long string of data is given to the ConnectToSynactis function, which is meant to be used for the ldCmdLine argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry class pointer saved on the stack, and results in arbitrary code execution under the context of the user.
FYI - 0c0d2028 may be a slightly more reliable target for the DEPS in the tests that we did across various IE versions |
Thanks for the reminder, yeah, the Metasploit one is 0c0d2020 by default.... I forgot about that. I think I'll update that documentation. |
var p2 = ''; | ||
eax = "#{eax}"; | ||
|
||
while (p1.length < 189) p1 += "\\x41"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can be randomized?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've decided not to because it looks like you're landing here. I'll put this as 0x0c to make sure you get code execution. Same for the 0x42 padding.
It's not working for me on Windows XP SP3 / IE7:
|
Working on IE7 right now:
But not on IE8 /windows xp sp3 on my testing:
|
Looks like the offset isn't consistent. It's landing at 0c0c0c0c instead of 0x20302028. |
After digging with @wchen-r7 , the overflow offset is dependant of the default browser configured in the machine. With ie8 as default browser, works fine:
|
Just to play with the firing order for Browser Autopwn, this one should fire as late as possible.
Awesome, merging! |
This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX component, specifically PDF_IN_1.ocx. When a long string of data is given to the ConnectToSynactis function, which is meant to be used for the ldCmdLine argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry class pointer saved on the stack, and results in arbitrary code execution under the context of the user.
I downloaded the component from Logic Print 2013, which can be found here:
http://www.logic-print.com/en/printestimatingsoftware.html
Or, ask me for the trial for testing.
Demo: