CVE-2007-3435
published 2007-06-27CVE-2007-3435: Stack-based buffer overflow in the BeginPrint method in a certain ActiveX control in RKD Software (barcodetools.com) BarCodeAx.dll 4.9 allows remote attackers…
PriorityP351critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.41%
98.2th percentile
Stack-based buffer overflow in the BeginPrint method in a certain ActiveX control in RKD Software (barcodetools.com) BarCodeAx.dll 4.9 allows remote attackers to execute arbitrary code via a long argument.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rkd_software | barcode_activex | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Buffer overflow is triggered via the BeginPrint method of the BarCodeAx.dll ActiveX control; monitor for ActiveX instantiation of CLSID C26D9CA8-6747-11D5-AD4B-C01857C10000 followed by a call to BeginPrint with arguments exceeding 656 bytes. ↗
- →We need 656 bytes to overflow the buffer and rewrite EBP + EIP — alert on strings of 656+ bytes passed to BeginPrint. ↗
- →Exploit delivery is via a crafted HTML page served to Internet Explorer; look for HTML pages containing an ActiveX object tag referencing CLSID C26D9CA8-6747-11D5-AD4B-C01857C10000 and a BeginPrint call with a long string argument. ↗
- →The EIP overwrite value 0x7E3FAAEB (little-endian %EB%AA%3F%7E) is used in the PoC exploit; detect this byte sequence near offset 656 in BeginPrint argument data. ↗
- ·The Metasploit module's only defined target is Windows XP SP0 English using a hardcoded JMP ESP gadget in ws2_32.dll; the return address 0x71ab7bfb is ASLR-free and specific to that OS/SP combination. ↗
- ·The PoC was tested on Windows XP SP2 (English/French) with IE 6.0/7.0 and Windows Vista Professional SP1 with IE 7.0; detection coverage should account for these platforms. ↗
- ·The Metasploit module sets autofilter to false, meaning it will respond to all requests regardless of User-Agent; network-based detection should not rely solely on browser fingerprinting. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
RKD Software BarCode ActiveX Control 'BarCodeAx.dll' 4.9 - Remote Stack Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2007-3435 RKD Software BarCode ActiveX Control 'BarCodeAx.dll' 4.9 - Remote Stack Buffer Overflow (Metasploit)
RKD Software BarCode ActiveX Control 'BarCodeAx.dll' 4.9 - Remote Stack Buffer Overflow (Metasploit)
---
##
# $Id: barcode_ax49.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'RKD Software BarCodeAx.dll v4.9 ActiveX Remote Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in RKD Software Barcode Application
ActiveX Control 'BarCodeAx.dll'. By sending an overly long string to the BeginPrint
method of BarCodeAx.dll v4.9, an attacker may be able to execute arbitrary c
Exploit-DB
RKD Software BarCode ActiveX Control 'BarCodeAx.dll' 4.9 - Remote Overflow
exploitdb·2007-06-22
CVE-2007-3435 RKD Software BarCode ActiveX Control 'BarCodeAx.dll' 4.9 - Remote Overflow
RKD Software BarCode ActiveX Control 'BarCodeAx.dll' 4.9 - Remote Overflow
---
:. GOODFELLAS Security Research TEAM .:
:. http://goodfellas.shellcode.com.ar .:
BarCodeAx.dll v. 4.9 ActiveX Control Remote Stack Buffer Overflow
Internal ID: VULWAR200706223
Introduction
BarCodeAx.dll is a library included in the Barcode ActiveX software
package from the Company RKD:
(http://www.barcodetools.com/barcode/barcode-activex/barcode-activex.html)
Such package allows to manage the printing of different barcodes.
One of the BarcodeAx.dll exported methods is vulnerable to a stack buffer
overflow which can be remotely exploited.
tested in
- Windows XP SP2 english/french with IE 6.0 / 7.0
- windows vista Professional SP1 with IE 7.0
Summary
The BeginPrint method fail to correctly check the siz
Metasploit
RKD Software BarCodeAx.dll v4.9 ActiveX Remote Stack Buffer Overflow
metasploit
RKD Software BarCodeAx.dll v4.9 ActiveX Remote Stack Buffer Overflow
RKD Software BarCodeAx.dll v4.9 ActiveX Remote Stack Buffer Overflow
This module exploits a stack buffer overflow in RKD Software Barcode Application ActiveX Control 'BarCodeAx.dll'. By sending an overly long string to the BeginPrint method of BarCodeAx.dll v4.9, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://goodfellas.shellcode.com.ar/own/VULWAR200706223.txthttp://osvdb.org/37482http://secunia.com/advisories/25788http://www.securityfocus.com/archive/1/472189/100/0/threadedhttp://www.securityfocus.com/bid/24596http://www.vupen.com/english/advisories/2007/2305https://exchange.xforce.ibmcloud.com/vulnerabilities/35011https://www.exploit-db.com/exploits/4094http://goodfellas.shellcode.com.ar/own/VULWAR200706223.txthttp://osvdb.org/37482http://secunia.com/advisories/25788http://www.securityfocus.com/archive/1/472189/100/0/threadedhttp://www.securityfocus.com/bid/24596http://www.vupen.com/english/advisories/2007/2305https://exchange.xforce.ibmcloud.com/vulnerabilities/35011https://www.exploit-db.com/exploits/4094
2007-06-27
Published