-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 # Exploit Title: Reflection Attachmate Reflection Standard Suite 2008 activex buffer overflow # Date: Mar 11, 2010 found # Author: Rad L. Sneak (JB) # Software Link: http://www.attachmate.com/Evals/ruo2/eval-form.htm # Version: 13.0 & 14.0 # Tested on: WinXP SP3 & Win7 64bit # CVE : None yet Attachmate Reflection Standard Suite 2008 & Reflection X Both contain a buffer overflow that could be triggered via activex. when r2axctrl.ocx is sent large string to the Reflection for UNIX & OpenVMS control class a crash happens that overwrites EIP with 41414141. Please let me know if there is problems with the attachment. It contains PoC code. Thank you Rad L. Sneak (JB) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJL8rGfAAoJEMUkYWFtbqnq1uoH/0y2ZsaQh5Rxs/bCuyDDTeML qq+loYBEOZqpWgY0ZPSmYeVKWZubgBjbpR1ki2WIfOcPvlcM3G1monWwwd0TwWhn opwsaTlyP8Kd7QfL/ndgfYaAhKG9oHcf+TGDEuLz4QyUZ9xzZvLoBP7I8lhpkI+g 5I85/YmZFbHmejt3v65qWy9V83Fztxuq0XD7Z3JL/dDMDJak8gxZzy4JuZacewMT iSsMF2ddQ5kjsb+Eeh8JZrAozJChbg2nZ0X7hXnfUmxA+iJ2sWj+HCw6gzKRKQ2p MCeo5DKNVwttMxE2LHdHz808ZGBJTf4hdqLbmWUw9apWngtbQPg9zLXqvRnmc40= =GKxw -----END PGP SIGNATURE----- # Exploit Title: Reflection Attachmate Reflection Standard Suite 2008 activex buffer overflow # Date: Mar 11, 2010 found # Author: Rad L. Sneak (JB) # Software Link: http://www.attachmate.com/Evals/ruo2/eval-form.htm # Version: 13.0 & 14.0 # Tested on: WinXP SP3 & Win7 64bit # CVE : None yet Attachmate Reflection Standard Suite 2008 & Reflection X Both contain a buffer overflow that could be triggered via activex. when r2axctrl.ocx is sent large string to the Reflection for UNIX & OpenVMS control class a crash happens that overwrites EIP with 41414141. # Code : [PoC exploit below] ______________________________________________________________________________ PoC1