cbcvebase.
CVE-2008-3878
published 2008-09-02

CVE-2008-3878: Stack-based buffer overflow in the Ultra.OfficeControl ActiveX control in OfficeCtrl.ocx 2.0.2008.801 in Ultra Shareware Ultra Office Control allows remote…

PriorityP354critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.23%
98.3th percentile
Stack-based buffer overflow in the Ultra.OfficeControl ActiveX control in OfficeCtrl.ocx 2.0.2008.801 in Ultra Shareware Ultra Office Control allows remote attackers to execute arbitrary code via long strUrl, strFile, and strPostData parameters to the HttpUpload method.

Affected

1 ranges
VendorProductVersion rangeFixed in
ultrasharewareultra_office_control

Detection & IOCsextracted from sources · hover to see the quote

otherUltra.OfficeControl
otherCLSID: 00989888-BB72-4E31-A7C6-5F819C24D2F7
filenameOfficeCtrl.ocx
bytes
%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800
  • Detect instantiation of the vulnerable ActiveX control by its CLSID (00989888-BB72-4E31-A7C6-5F819C24D2F7) or ProgID (Ultra.OfficeControl) in HTML/script content.
  • Detect calls to the HttpUpload method on the Ultra.OfficeControl ActiveX object with excessively long strUrl, strFile, or strPostData arguments (triggering the stack-based buffer overflow).
  • The SEH overwrite offset is 252 bytes into the exploit buffer; monitor for structured exception handler overwrites at this offset in conjunction with OfficeCtrl.ocx being loaded.
  • The exploit payload bad characters include null bytes; payloads delivered via this vector will avoid \x00 bytes. Payload space is up to 4096 bytes.
  • ·The exploit was tested against two specific ActiveX versions; other versions may behave differently.
  • ·The Metasploit module uses a heap-spray technique (not a direct RET overwrite) due to input restrictions on the HttpUpload arguments.
  • ·Additional bad characters apply specifically to the HttpUpload arguments beyond the standard null-byte restriction.
  • ·Original PoC was tested only on Windows XP Professional SP3 fully patched with Internet Explorer 7.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.