CVE-2008-3878
published 2008-09-02CVE-2008-3878: Stack-based buffer overflow in the Ultra.OfficeControl ActiveX control in OfficeCtrl.ocx 2.0.2008.801 in Ultra Shareware Ultra Office Control allows remote…
PriorityP354critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.23%
98.3th percentile
Stack-based buffer overflow in the Ultra.OfficeControl ActiveX control in OfficeCtrl.ocx 2.0.2008.801 in Ultra Shareware Ultra Office Control allows remote attackers to execute arbitrary code via long strUrl, strFile, and strPostData parameters to the HttpUpload method.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ultrashareware | ultra_office_control | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800
- →Detect instantiation of the vulnerable ActiveX control by its CLSID (00989888-BB72-4E31-A7C6-5F819C24D2F7) or ProgID (Ultra.OfficeControl) in HTML/script content. ↗
- →Detect calls to the HttpUpload method on the Ultra.OfficeControl ActiveX object with excessively long strUrl, strFile, or strPostData arguments (triggering the stack-based buffer overflow). ↗
- →The SEH overwrite offset is 252 bytes into the exploit buffer; monitor for structured exception handler overwrites at this offset in conjunction with OfficeCtrl.ocx being loaded. ↗
- →The exploit payload bad characters include null bytes; payloads delivered via this vector will avoid \x00 bytes. Payload space is up to 4096 bytes. ↗
- ·The exploit was tested against two specific ActiveX versions; other versions may behave differently. ↗
- ·The Metasploit module uses a heap-spray technique (not a direct RET overwrite) due to input restrictions on the HttpUpload arguments. ↗
- ·Additional bad characters apply specifically to the HttpUpload arguments beyond the standard null-byte restriction. ↗
- ·Original PoC was tested only on Windows XP Professional SP3 fully patched with Internet Explorer 7. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Ultra Shareware Office Control - ActiveX HttpUpload Buffer Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2008-3878 Ultra Shareware Office Control - ActiveX HttpUpload Buffer Overflow (Metasploit)
Ultra Shareware Office Control - ActiveX HttpUpload Buffer Overflow (Metasploit)
---
##
# $Id: ultraoffice_httpupload.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in Ultra Shareware's Office
Control. When processing the 'HttpUpload' method, the arguments are concatenated
together to form a command line to run a bundled version of cURL. If the command
fails to run
Exploit-DB
Ultra Shareware Office Control - ActiveX Control Remote Buffer Overflow
exploitdb·2008-08-27
CVE-2008-3878 Ultra Shareware Office Control - ActiveX Control Remote Buffer Overflow
Ultra Shareware Office Control - ActiveX Control Remote Buffer Overflow
---
Ultra Office ActiveX Control Remote Buffer Overflow
url: http://www.ultrashareware.com
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.net
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
Tested on Windows XP Professional SP3 all patched, with Internet Explorer 7
var sCode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
"%u0900%u74C0%u
Metasploit
Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow
metasploit
Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow
Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow
This module exploits a stack-based buffer overflow in Ultra Shareware's Office Control. When processing the 'HttpUpload' method, the arguments are concatenated together to form a command line to run a bundled version of cURL. If the command fails to run, a stack-based buffer overflow occurs when building the error message. This is due to the use of sprintf() without proper bounds checking. NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload into memory unmodified.
No writeups or analysis indexed.
http://secunia.com/advisories/31632http://securityreason.com/securityalert/4200http://www.securityfocus.com/bid/30861http://www.shinnai.net/index.php?mod=02_Forum&group=Security&argument=Remote_performed_exploits&topic=1219826651.ff.phphttp://www.shinnai.net/xplits/TXT_RvfuIrwypWLMaiVn33Iy.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/44749https://www.exploit-db.com/exploits/6318http://secunia.com/advisories/31632http://securityreason.com/securityalert/4200http://www.securityfocus.com/bid/30861http://www.shinnai.net/index.php?mod=02_Forum&group=Security&argument=Remote_performed_exploits&topic=1219826651.ff.phphttp://www.shinnai.net/xplits/TXT_RvfuIrwypWLMaiVn33Iy.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/44749https://www.exploit-db.com/exploits/6318
2008-09-02
Published