| Current | v9 | v8 | v7 | v6 | v5 | v4 | v3 | v2 | v1 | All | About |
Vantage Linguistics AnswerWorks
The third and last example of various ActiveX vulnerabilities is in the
Vantage Linguistics AnswerWorks. Advisories covering this vulnerability were
released in December, 2007. The awApi4.AnswerWorks.1 control exports several
functions which are prone to stack-based buffer overflows. The functions
GetHistory(), GetSeedQuery() and SetSeedQuery() fail to
properly handle long strings provided by a malicious website. The resulting
stack-based buffer overflow allows for the execution of arbitrary code, as
"e.b." demonstrates with a proof of concept that binds a shell to port 4444
when the exploit succeeds.
When the exploit is loaded from a webserver it instatiates the CLSID and links the created object to a variable named obj. It then calls the GetHistory() function with a carefully crafted string which consists of 214 A's to fill the buffer followed by a return address which overwrites the one saved on the stack. After those 4 bytes come 12 NOPs and then finally the shellcode. As one can easily see, this exploit is based on the same techniques that can be seen in many other stack-based exploits.
The exploit mentioned in this example can also be found on Milw0rm: http://www.milw0rm.com/exploits/4825.