CVE-2007-6530
published 2007-12-27CVE-2007-6530: Buffer overflow in the XUpload.ocx ActiveX control in Persits Software XUpload 2.1.0.1, and probably other versions before 3.0, as used by HP Mercury…
PriorityP351critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.83%
98.3th percentile
Buffer overflow in the XUpload.ocx ActiveX control in Persits Software XUpload 2.1.0.1, and probably other versions before 3.0, as used by HP Mercury LoadRunner and Groove Virtual Office, allows remote attackers to execute arbitrary code via a long argument to the AddFolder function.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| persits | xupload | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect instantiation of the XUpload.ocx ActiveX control in browser context, particularly calls to the AddFolder() method with arguments exceeding 1388 bytes, which triggers the stack buffer overflow. ↗
- →The exploit uses a return address of 0x323ad95f located in PocoNet.dll on Windows XP SP2 Pro English with IE6 SP0-SP2. Monitor for ROP/return-to-lib pivots into PocoNet.dll. ↗
- →The overflow offset is 1388 bytes before the saved return address. Alert on AddFolder() calls with string arguments longer than 1388 characters. ↗
- →The PoC exploit uses a JavaScript loop to build a large buffer and passes it to AddFolder(). Monitor browser script execution that constructs very long strings and passes them to ActiveX methods. ↗
- ·The Metasploit module targets only Windows XP SP2 Pro English with IE6 SP0-SP2 using a hardcoded return address in PocoNet.dll. Other OS/browser/SP combinations are not covered by this target and would require different return addresses. ↗
- ·The vulnerability affects XUpload versions before 3.0. Versions 3.0 and later are stated as not affected. Verify the exact version of XUpload.ocx deployed. ↗
- ·The vulnerable control is embedded in multiple products (HP Mercury LoadRunner and Groove Virtual Office), so detection/patching must cover all host applications, not just HP LoadRunner. ↗
- ·Payload space is limited to 800 bytes and requires a stack adjustment of -3500 bytes; shellcode exceeding these constraints will not function correctly with this exploit. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP LoadRunner 9.0 - ActiveX AddFolder Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2007-6530 HP LoadRunner 9.0 - ActiveX AddFolder Buffer Overflow (Metasploit)
HP LoadRunner 9.0 - ActiveX AddFolder Buffer Overflow (Metasploit)
---
##
# $Id: hp_loadrunner_addfolder.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'HP LoadRunner 9.0 ActiveX AddFolder Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Persits Software Inc's
XUpload ActiveX control(version 2.1.0.1) thats included in HP LoadRunner 9.0.
By passing an overly long string to the AddFolder method, an attacker may be
able to execute arbitrary code.
},
'License' => MSF_LIC
Exploit-DB
Persits Software XUpload Control - 'AddFolder()' Remote Buffer Overflow
exploitdb·2007-12-28
CVE-2007-6530 Persits Software XUpload Control - 'AddFolder()' Remote Buffer Overflow
Persits Software XUpload Control - 'AddFolder()' Remote Buffer Overflow
---
Persits Software XUpload Control AddFolder BoF
Exploit
function Check() {
var buf = 'A';
while (buf.length
Unable to create object
# milw0rm.com [2007-12-28]
Metasploit
HP LoadRunner 9.0 ActiveX AddFolder Buffer Overflow
metasploit
HP LoadRunner 9.0 ActiveX AddFolder Buffer Overflow
HP LoadRunner 9.0 ActiveX AddFolder Buffer Overflow
This module exploits a stack buffer overflow in Persits Software Inc's XUpload ActiveX control(version 2.1.0.1) thats included in HP LoadRunner 9.0. By passing an overly long string to the AddFolder method, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://marc.info/?l=full-disclosure&m=119863639428564&w=2http://osvdb.org/39901http://secunia.com/advisories/28145http://secunia.com/advisories/28205http://secunia.com/advisories/28218http://www.securityfocus.com/bid/27025http://www.securitytracker.com/id?1019147http://www.vupen.com/english/advisories/2007/4310http://marc.info/?l=full-disclosure&m=119863639428564&w=2http://osvdb.org/39901http://secunia.com/advisories/28145http://secunia.com/advisories/28205http://secunia.com/advisories/28218http://www.securityfocus.com/bid/27025http://www.securitytracker.com/id?1019147http://www.vupen.com/english/advisories/2007/4310
2007-12-27
Published