|Informative Information for the Uninformed|
The third and last example of various ActiveX vulnerabilities is in the
Vantage Linguistics AnswerWorks. Advisories covering this vulnerability were
released in December, 2007. The awApi4.AnswerWorks.1 control exports several
functions which are prone to stack-based buffer overflows. The functions
When the exploit is loaded from a webserver it instatiates the CLSID and links the created object to a variable named obj. It then calls the GetHistory() function with a carefully crafted string which consists of 214 A's to fill the buffer followed by a return address which overwrites the one saved on the stack. After those 4 bytes come 12 NOPs and then finally the shellcode. As one can easily see, this exploit is based on the same techniques that can be seen in many other stack-based exploits.
The exploit mentioned in this example can also be found on Milw0rm: http://www.milw0rm.com/exploits/4825.