cbcvebase.
CVE-2007-6530
published 2007-12-27

CVE-2007-6530: Buffer overflow in the XUpload.ocx ActiveX control in Persits Software XUpload 2.1.0.1, and probably other versions before 3.0, as used by HP Mercury…

PriorityP351critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.83%
98.3th percentile
Buffer overflow in the XUpload.ocx ActiveX control in Persits Software XUpload 2.1.0.1, and probably other versions before 3.0, as used by HP Mercury LoadRunner and Groove Virtual Office, allows remote attackers to execute arbitrary code via a long argument to the AddFolder function.

Affected

1 ranges
VendorProductVersion rangeFixed in
persitsxupload

Detection & IOCsextracted from sources · hover to see the quote

versionXUpload.ocx 2.1.0.1
otherCLSID used by XUpload.ocx ActiveX control (AddFolder method)
registry0x323ad95f (return address in PocoNet.dll, Windows XP SP2 Pro English / IE6SP0-SP2)
  • Detect instantiation of the XUpload.ocx ActiveX control in browser context, particularly calls to the AddFolder() method with arguments exceeding 1388 bytes, which triggers the stack buffer overflow.
  • The exploit uses a return address of 0x323ad95f located in PocoNet.dll on Windows XP SP2 Pro English with IE6 SP0-SP2. Monitor for ROP/return-to-lib pivots into PocoNet.dll.
  • The overflow offset is 1388 bytes before the saved return address. Alert on AddFolder() calls with string arguments longer than 1388 characters.
  • The PoC exploit uses a JavaScript loop to build a large buffer and passes it to AddFolder(). Monitor browser script execution that constructs very long strings and passes them to ActiveX methods.
  • ·The Metasploit module targets only Windows XP SP2 Pro English with IE6 SP0-SP2 using a hardcoded return address in PocoNet.dll. Other OS/browser/SP combinations are not covered by this target and would require different return addresses.
  • ·The vulnerability affects XUpload versions before 3.0. Versions 3.0 and later are stated as not affected. Verify the exact version of XUpload.ocx deployed.
  • ·The vulnerable control is embedded in multiple products (HP Mercury LoadRunner and Groove Virtual Office), so detection/patching must cover all host applications, not just HP LoadRunner.
  • ·Payload space is limited to 800 bytes and requires a stack adjustment of -3500 bytes; shellcode exceeding these constraints will not function correctly with this exploit.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.