cbcvebase.
CVE-2007-3435
published 2007-06-27

CVE-2007-3435: Stack-based buffer overflow in the BeginPrint method in a certain ActiveX control in RKD Software (barcodetools.com) BarCodeAx.dll 4.9 allows remote attackers…

PriorityP351critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.41%
98.2th percentile
Stack-based buffer overflow in the BeginPrint method in a certain ActiveX control in RKD Software (barcodetools.com) BarCodeAx.dll 4.9 allows remote attackers to execute arbitrary code via a long argument.

Affected

1 ranges
VendorProductVersion rangeFixed in
rkd_softwarebarcode_activex

Detection & IOCsextracted from sources · hover to see the quote

filenameBarCodeAx.dll
otherCLSID:C26D9CA8-6747-11D5-AD4B-C01857C10000
commandregsvr32 /u BarCodeAx.dll
other0x71ab7bfb (jmp esp ws2_32.dll, Windows XP SP0 English)
commandBeginPrint(<656-byte overflow buffer>)
  • Buffer overflow is triggered via the BeginPrint method of the BarCodeAx.dll ActiveX control; monitor for ActiveX instantiation of CLSID C26D9CA8-6747-11D5-AD4B-C01857C10000 followed by a call to BeginPrint with arguments exceeding 656 bytes.
  • We need 656 bytes to overflow the buffer and rewrite EBP + EIP — alert on strings of 656+ bytes passed to BeginPrint.
  • Exploit delivery is via a crafted HTML page served to Internet Explorer; look for HTML pages containing an ActiveX object tag referencing CLSID C26D9CA8-6747-11D5-AD4B-C01857C10000 and a BeginPrint call with a long string argument.
  • The EIP overwrite value 0x7E3FAAEB (little-endian %EB%AA%3F%7E) is used in the PoC exploit; detect this byte sequence near offset 656 in BeginPrint argument data.
  • ·The Metasploit module's only defined target is Windows XP SP0 English using a hardcoded JMP ESP gadget in ws2_32.dll; the return address 0x71ab7bfb is ASLR-free and specific to that OS/SP combination.
  • ·The PoC was tested on Windows XP SP2 (English/French) with IE 6.0/7.0 and Windows Vista Professional SP1 with IE 7.0; detection coverage should account for these platforms.
  • ·The Metasploit module sets autofilter to false, meaning it will respond to all requests regardless of User-Agent; network-based detection should not rely solely on browser fingerprinting.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.