WinXP Pro SP2 lame local VMWare Buffer Overflow

Discovered By NormandiaN
Visit my website at http://www.grisapka.org

This will exploit overflow and execute calc.exe on WinXP Pro SP2
(fully patched) against VMWare 5.5.1 Initialize ActiveX member.

I have only found a bad solution to this bug. Due to the fact that
my controlling assembler is a call dword ptr[reg] I need to point
to a location I control, fine. However my payload is random pretty
much every run. Therefor I fill half a HUGE buffer with the address
(pointer) to my evil buffer, which them trampolines me to shellcode

call ptr [reg]
[reg] -> 0xtrampoline
0xtrampoline -> shellcode

This will exploit overflow and execute calc.exe on WinXP Pro SP2 (fully patched) against VMWare 5.5.1 Initialize ActiveX member.

This will exploit overflow and execute calc.exe on WinXP Pro SP2
(fully patched) against VMWare 5.5.1 Initialize ActiveX member.