Uninformed: Informative Information for the Uninformed

Vol 9» 2008.Jan

Next: Summary Up: Examples Previous: HP Info Center   Contents

Vantage Linguistics AnswerWorks

The third and last example of various ActiveX vulnerabilities is in the Vantage Linguistics AnswerWorks. Advisories covering this vulnerability were released in December, 2007. The awApi4.AnswerWorks.1 control exports several functions which are prone to stack-based buffer overflows. The functions GetHistory(), GetSeedQuery() and SetSeedQuery() fail to properly handle long strings provided by a malicious website. The resulting stack-based buffer overflow allows for the execution of arbitrary code, as "e.b." demonstrates with a proof of concept that binds a shell to port 4444 when the exploit succeeds.

When the exploit is loaded from a webserver it instatiates the CLSID and links the created object to a variable named obj. It then calls the GetHistory() function with a carefully crafted string which consists of 214 A's to fill the buffer followed by a return address which overwrites the one saved on the stack. After those 4 bytes come 12 NOPs and then finally the shellcode. As one can easily see, this exploit is based on the same techniques that can be seen in many other stack-based exploits.

The exploit mentioned in this example can also be found on Milw0rm: http://www.milw0rm.com/exploits/4825.