<![CDATA[
<body link="#0A3078" hlink="#F1A400" vlink="#8eb2d3" alink="#8eb2d3" marginheight="0" topmargin="0" vspace="0" marginwidth="0" leftmargin="0" hspace="0" onLoad="MM_preloadImages('../images/pentest_home_over.jpg','../images/pentest_sessions_over.jpg','../images/pen_test_over.jpg','../images/pentest_data_over.jpg','../images/pentest_options_over.jpg','../images/connections_over.jpg','../images/exploits.jpg','../images/pentest_help_over.jpg','../images/pentest_vulnerability_scanner_tab_over.jpg')">
<a name="top"></a>
<table border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td width="16" align="left"><img src="../images/left_top_corner_white.gif" alt="" width="16" height="16"></td>
<td bgcolor="#ffffff"></td>
<td width="16" align="right"><img src="../images/right_top_corner_white.gif" alt="" width="16" height="16"></td>
</tr>
<tr>
<td colspan="3" bgcolor="#ffffff">
<table width="697" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"><img src="../images/pentest_banner_top.jpg" width="697" height="32" alt="SAINT banner"></td>
</tr>
<tr>
<td width="559"><img src="../images/pentest_banner_bottom.jpg" width="559" height="25" alt=""""></td>
<td width="131"><a href="/saint.html" target="_top" onClick="MM_goToURL('parent','../../saint/saint.html');return document.MM_returnValue"><img src="../images/pentest_vulnerability_scanner_tab.jpg" alt="Vulnerability Scanning" name="scanner" width="131" height="25" onMouseOver="MM_swapImage('scanner','','../images/pentest_vulnerability_scanner_tab_over.jpg',1)" onMouseOut="MM_swapImgRestore()" border="0"></a></td>
<td width="7"><img src="../images/pentest_banner_right.jpg" width="7" height="25"></td>
</tr>
</table>
</td>
</tr>
<tr>
<td bgcolor="#ffffff"></td>
<td bgcolor="#ffffff" align="center">
<table width="698" border="0" cellpadding="0" cellspacing="0">
<tr width="698">
<td width="73"><a href="home.html" target="_top" onMouseOut="hideDropDown(''); MM_swapImgRestore();" onMouseOver="showDropDown(''); MM_swapImage('pentest_home','','../images/pentest_home_over.jpg','exploits','','../images/exploits.jpg',1);" onClick="MM_goToURL('parent','home.html');return document.MM_returnValue"><img src="../images/pentest_home.jpg" width="73" height="64" name="pentest_home" border="0" alt="Home |"></a></td>
<td width="93"><a href="saint_data_form.html" target="_top" onMouseOut="hideDropDown('sessions_sub'); MM_swapImgRestore();" onMouseOver="showDropDown('sessions_sub'); MM_swapImage('pentest_sessions','','../images/pentest_sessions_over.jpg','exploits','','../images/exploits.jpg',1);" onClick="MM_goToURL('parent','saint_data_form.html');return document.MM_returnValue"><img src="../images/pentest_sessions.jpg" width="93" height="64" name="pentest_sessions" border="0" alt="Sessions |"></a></td>
<td width="93"><a href="saint_run_form.html" target="_top" onMouseOut="hideDropDown(''); MM_swapImgRestore();" onMouseOver="showDropDown(''); MM_swapImage('pen_test','','../images/pen_test_over.jpg','exploits','','../images/exploits.jpg',1);" onClick="MM_goToURL('parent','saint_run_form.html');return document.MM_returnValue"><img src="../images/pen_test.jpg" width="93" height="64" name="pen_test" border="0" alt="PenTest Setup |"></a></td>
<td width="89"><a href="analysis.html" target="_top" onMouseOut="hideDropDown('data_sub'); MM_swapImgRestore();" onMouseOver="showDropDown('data_sub'); MM_swapImage('pentest_data','','../images/pentest_data_over.jpg','exploits','','../images/exploits.jpg',1);" onClick="MM_goToURL('parent','analysis.html');return document.MM_returnValue"><img src="../images/pentest_data.jpg" width="89" height="64" name="pentest_data" border="0" alt="Reports |"></a></td>
<td width="93"><a href="saint_cf_form.html" target="_top" onMouseOut="hideDropDown('options_sub'); MM_swapImgRestore();" onMouseOver="showDropDown('options_sub'); MM_swapImage('pentest_options','','../images/pentest_options_over.jpg','exploits','','../images/exploits.jpg',1);" onClick="MM_goToURL('parent','saint_cf_form.html');return document.MM_returnValue"><img src="../images/pentest_options.jpg" width="93" height="64" name="pentest_options" border="0" alt="Configuration |"></a></td>
<td width="101"><a href="connections.html" target="_top" onMouseOut="hideDropDown(''); MM_swapImgRestore();" onMouseOver="showDropDown(''); MM_swapImage('connections','','../images/connections_over.jpg','exploits','','../images/exploits.jpg',1);" onClick="MM_goToURL('parent','connections.html');return document.MM_returnValue"><img src="../images/connections.jpg" width="101" height="64" name="connections" border="0" alt="Connections |"></a></td>
<td width="95"><a href="exploits.html" target="_top" onMouseOut="hideDropDown('exploits_sub');" onMouseOver="showDropDown('exploits_sub');" onClick="MM_goToURL('parent','exploits.html');return document.MM_returnValue"><img src="../images/exploits_over.jpg" width="95" height="64" name="exploits" border="0" alt="Exploits |"></a></td>
<td width="60"><a href="/cgi-bin/demo_doc.pl?doc_name=documentation.html" target="_top" onMouseOut="hideDropDown('help_sub'); MM_swapImgRestore();" onMouseOver="showDropDown('help_sub'); MM_swapImage('pentest_help','','../images/pentest_help_over.jpg','exploits','','../images/exploits.jpg',1);" onClick="MM_goToURL('parent','documentation.html');return document.MM_returnValue"><img src="../images/pentest_help.jpg" width="60" height="64" name="pentest_help" border="0" alt="Documentation"></a></td>
</tr>
<tr width="698" border="0" cellpadding="0" cellspacing="0">
<td colspan="8" onMouseOver="overDropDown();" onMouseOut="outDropDown();">
<!-- INSERT DIVS HERE FOR DROP MENUS //-->
<div id="sessions_sub"> <a href="saint_data_form,,,OpenCreate.html" class="lnk" onMouseOver="rescueDropDown();" target="_top" onClick="MM_goToURL('parent','saint_data_form,,,OpenCreate.html'); return document.MM_returnValue;">Open/Create</a> <a href="saint_data_form,,,Merge.html" class="lnk" onMouseOver="rescueDropDown();" target="_top" onClick="MM_goToURL('parent','saint_data_form,,,Merge.html'); return document.MM_returnValue;">Merge</a> <a href="saint_data_form,,,Delete.html" class="lnk" onMouseOver="rescueDropDown();" target="_top" onClick="MM_goToURL('parent','saint_data_form,,,Delete.html'); return document.MM_returnValue;">Delete</a> <a href="saint_data_form,,,Sanitize.html" class="lnk" onMouseOver="rescueDropDown();" target="_top" onClick="MM_goToURL('parent','saint_data_form,,,Sanitize.html'); return document.MM_returnValue;">Sanitize</a> </div><div id="data_sub"> <a href="saintwriter_form,.html" class="lnk" onMouseOver="rescueDropDown();" target="_top" onClick="MM_goToURL('parent','saintwriter_form,.html'); return document.MM_returnValue;">SAINTwriter</a> <a href="reporting/exploit_severities,.html" class="lnk" onMouseOver="rescueDropDown();" target="_top" onClick="MM_goToURL('parent','exploit_severities,.html'); return document.MM_returnValue;">By Severity</a> <a href="reporting/exploit_types,.html" class="lnk" onMouseOver="rescueDropDown();" target="_top" onClick="MM_goToURL('parent','exploit_types,.html'); return document.MM_returnValue;">By Name</a> <a href="reporting/exploit_hosts,.html" class="lnk" onMouseOver="rescueDropDown();" target="_top" onClick="MM_goToURL('parent','exploit_hosts,.html'); return document.MM_returnValue;">By Host</a> </div><div id="options_sub"> <a href="saint_cf_form,,selected_tab=ScanningOptions.html" class="lnk" onMouseOver="rescueDropDown();" target="_top" onClick="MM_goToURL('parent','saint_cf_form,,selected_tab=ScanningOptions.html'); return document.MM_returnValue;">Scanning Options</a> <a href="saint_cf_form,,selected_tab=StartupOptions.html" class="lnk" onMouseOver="rescueDropDown();" target="_top" onClick="MM_goToURL('parent','saint_cf_form,,selected_tab=StartupOptions.html'); return document.MM_returnValue;">Startup Options</a> </div><div id="exploits_sub"> <a href="exploits,,,,Exploits.html" class="lnk" onMouseOver="rescueDropDown();" target="_top" onClick="MM_goToURL('parent','exploits,,,,Exploits.html'); return document.MM_returnValue;">Exploits</a> <a href="exploits,,,,Tools.html" class="lnk" onMouseOver="rescueDropDown();" target="_top" onClick="MM_goToURL('parent','exploits,,,,Tools.html'); return document.MM_returnValue;">Tools</a> <a href="exploits,,,,Search.html" class="lnk" onMouseOver="rescueDropDown();" target="_top" onClick="MM_goToURL('parent','exploits,,,,Search.html'); return document.MM_returnValue;">Search</a> <a href="exploits,,,,ExploitServers.html" class="lnk" onMouseOver="rescueDropDown();" target="_top" onClick="MM_goToURL('parent','exploits,,,,ExploitServers.html'); return document.MM_returnValue;">Exploit Servers</a> </div><div id="help_sub"> <a href="/cgi-bin/demo_doc.pl?doc_name=documentation,.html" class="lnk" onMouseOver="rescueDropDown();" target="_top" onClick="MM_goToURL('parent','documentation,.html'); return document.MM_returnValue;">Contents</a> <a href="/cgi-bin/demo_doc.pl?doc_name=index,.html" class="lnk" onMouseOver="rescueDropDown();" target="_top" onClick="MM_goToURL('parent','index,.html'); return document.MM_returnValue;">Index</a> <a href="/cgi-bin/demo_doc.pl?doc_name=search_form,.html" class="lnk" onMouseOver="rescueDropDown();" target="_top" onClick="MM_goToURL('parent','search_form,.html'); return document.MM_returnValue;">Search</a> </div> <!-- END INSERT DIV MENU STUFFS //-->
</td>
</tr>
</table>
</td>
<td bgcolor="#ffffff"></td>
</tr>
<tr height="10">
<td colspan="3" height="15" bgcolor="#ffffff"></td>
</tr>
</table>
<a name="skipnav"></a>
<table cellpadding="0" cellspacing="0" border="0" align="center" width="730">
<tr>
<td width="16" bgcolor="#ffffff"></td>
<td width="698" bgcolor="#ffffff">
<span class="pageheader">Exploit - Windows Telephony API buffer overflow</span>
<table height="10">
<tr height="10" width="1">
<td height="10" width="1"></td>
</tr>
</table>
<div id="panel">
<table cellpadding="0" cellspacing="0" border="0" width="698">
<tr width="698" height="9">
<td width="9" height="9"><img src="../images/panel_top_left.gif" /></td>
<td width="680" class="border_top" height="9"></td>
<td width="9" height="9"><img src="../images/panel_top_right.gif" /></td>
</tr>
<tr valign="top" width="698">
<td width="9" class="border_left"></td>
<td width="680" bgcolor="#f6f7f7">
<table cellpadding="0" cellspacing="0" border="0">
<tr height="10">
<td colspan="3" height="10"></td>
</tr>
<tr>
<td width="10"></td>
<td width="660" class="content"><font face="Gill sans, sans-serif" size="2" color="787270">
<p>
<font color="green" size="2"><i>06/12/2007</i></font><br>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0058" target="cve"><font color="red" size="2">CVE-2005-0058</font></a><br>
<a href="http://www.securityfocus.com/bid/14518" target="cve"><font color="orange" size="2">BID-14518</font></a><br>
<a href="http://www.osvdb.org/18606" target="cve"><font color="purple" size="2">OSVDB-18606</font></a><br>
<p>
</td>
<td width="10"></td>
</tr>
</table>
<td width="9" class="border_right"></td>
</tr>
<tr height="10">
<td height="10" width="9" class="border_left"></td>
<td height="10" bgcolor="#f6f7f7"></td>
<td height="10" width="9" class="border_right"></td>
</tr>
<tr width="698" height="30">
<td width="9" height="30" class="border_left"></td>
<td width="680" height="30">
<table cellpadding="0" cellspacing="0" border="0" width="680" height="30">
<tr width="680" height="30">
<td width="10" height="30"><img src="../images/header_left.gif" /></td>
<td width="660" height="30" class="header" background="../images/header_bg.gif">
Background</td>
<td width="10" height="30"><img src="../images/header_right.gif" /></td>
</tr>
</table>
</td>
<td width="9" height="30" class="border_right"></td>
</tr>
<tr valign="top" width="698">
<td width="9" class="border_left"></td>
<td width="680" bgcolor="#f6f7f7">
<table cellpadding="0" cellspacing="0" border="0">
<tr height="10">
<td colspan="3" height="10"></td>
</tr>
<tr>
<td width="10"></td>
<td width="660" class="content"><font face="Gill sans, sans-serif" size="2" color="787270">
The Windows <a target="cve" href="http://msdn2.microsoft.com/en-us/library/aa922068.aspx">Telephony API</a> (TAPI)
provides telecommunications support for Windows
applications.
</font></td>
<td width="10"></td>
</tr>
</table>
<td width="9" class="border_right"></td>
</tr>
<tr height="10">
<td height="10" width="9" class="border_left"></td>
<td height="10" bgcolor="#f6f7f7"></td>
<td height="10" width="9" class="border_right"></td>
</tr>
<tr width="698" height="30">
<td width="9" height="30" class="border_left"></td>
<td width="680" height="30">
<table cellpadding="0" cellspacing="0" border="0" width="680" height="30">
<tr width="680" height="30">
<td width="10" height="30"><img src="../images/header_left.gif" /></td>
<td width="660" height="30" class="header" background="../images/header_bg.gif">
The Problem</td>
<td width="10" height="30"><img src="../images/header_right.gif" /></td>
</tr>
</table>
</td>
<td width="9" height="30" class="border_right"></td>
</tr>
<tr valign="top" width="698">
<td width="9" class="border_left"></td>
<td width="680" bgcolor="#f6f7f7">
<table cellpadding="0" cellspacing="0" border="0">
<tr height="10">
<td colspan="3" height="10"></td>
</tr>
<tr>
<td width="10"></td>
<td width="660" class="content"><font face="Gill sans, sans-serif" size="2" color="787270">
A buffer overflow in the Windows Telephony API allows
local attackers to execute commands with administrative privileges.
</font></td>
<td width="10"></td>
</tr>
</table>
<td width="9" class="border_right"></td>
</tr>
<tr height="10">
<td height="10" width="9" class="border_left"></td>
<td height="10" bgcolor="#f6f7f7"></td>
<td height="10" width="9" class="border_right"></td>
</tr>
<tr width="698" height="30">
<td width="9" height="30" class="border_left"></td>
<td width="680" height="30">
<table cellpadding="0" cellspacing="0" border="0" width="680" height="30">
<tr width="680" height="30">
<td width="10" height="30"><img src="../images/header_left.gif" /></td>
<td width="660" height="30" class="header" background="../images/header_bg.gif">
Resolution</td>
<td width="10" height="30"><img src="../images/header_right.gif" /></td>
</tr>
</table>
</td>
<td width="9" height="30" class="border_right"></td>
</tr>
<tr valign="top" width="698">
<td width="9" class="border_left"></td>
<td width="680" bgcolor="#f6f7f7">
<table cellpadding="0" cellspacing="0" border="0">
<tr height="10">
<td colspan="3" height="10"></td>
</tr>
<tr>
<td width="10"></td>
<td width="660" class="content"><font face="Gill sans, sans-serif" size="2" color="787270">
Apply the patch referenced in <a target="cve" href="http://www.microsoft.com/technet/security/bulletin/ms05-040.mspx">Microsoft Security Bulletin 05-040</a>.
</font></td>
<td width="10"></td>
</tr>
</table>
<td width="9" class="border_right"></td>
</tr>
<tr height="10">
<td height="10" width="9" class="border_left"></td>
<td height="10" bgcolor="#f6f7f7"></td>
<td height="10" width="9" class="border_right"></td>
</tr>
<tr width="698" height="30">
<td width="9" height="30" class="border_left"></td>
<td width="680" height="30">
<table cellpadding="0" cellspacing="0" border="0" width="680" height="30">
<tr width="680" height="30">
<td width="10" height="30"><img src="../images/header_left.gif" /></td>
<td width="660" height="30" class="header" background="../images/header_bg.gif">
More Information</td>
<td width="10" height="30"><img src="../images/header_right.gif" /></td>
</tr>
</table>
</td>
<td width="9" height="30" class="border_right"></td>
</tr>
<tr valign="top" width="698">
<td width="9" class="border_left"></td>
<td width="680" bgcolor="#f6f7f7">
<table cellpadding="0" cellspacing="0" border="0">
<tr height="10">
<td colspan="3" height="10"></td>
</tr>
<tr>
<td width="10"></td>
<td width="660" class="content"><font face="Gill sans, sans-serif" size="2" color="787270">
<a href="http://www.microsoft.com/technet/security/bulletin/ms05-040.mspx" target="cve">http://www.microsoft.com/technet/security/bulletin/ms05-040.mspx</a><br>
</font></td>
<td width="10"></td>
</tr>
</table>
<td width="9" class="border_right"></td>
</tr>
<tr height="10">
<td height="10" width="9" class="border_left"></td>
<td height="10" bgcolor="#f6f7f7"></td>
<td height="10" width="9" class="border_right"></td>
</tr>
<tr width="698" height="30">
<td width="9" height="30" class="border_left"></td>
<td width="680" height="30">
<table cellpadding="0" cellspacing="0" border="0" width="680" height="30">
<tr width="680" height="30">
<td width="10" height="30"><img src="../images/header_left.gif" /></td>
<td width="660" height="30" class="header" background="../images/header_bg.gif">
Limitations</td>
<td width="10" height="30"><img src="../images/header_right.gif" /></td>
</tr>
</table>
</td>
<td width="9" height="30" class="border_right"></td>
</tr>
<tr valign="top" width="698">
<td width="9" class="border_left"></td>
<td width="680" bgcolor="#f6f7f7">
<table cellpadding="0" cellspacing="0" border="0">
<tr height="10">
<td colspan="3" height="10"></td>
</tr>
<tr>
<td width="10"></td>
<td width="660" class="content"><font face="Gill sans, sans-serif" size="2" color="787270">
The Telephony service must be running on the target
in order for this exploit to succeed.
</font></td>
<td width="10"></td>
</tr>
</table>
<td width="9" class="border_right"></td>
</tr>
<tr height="10">
<td height="10" width="9" class="border_left"></td>
<td height="10" bgcolor="#f6f7f7"></td>
<td height="10" width="9" class="border_right"></td>
</tr>
<tr width="698" height="9">
<td width="9" height="9"><img src="../images/panel_bottom_left.gif" /></td>
<td width="680" height="9" class="border_bottom"></td>
<td width="9" height="9"><img src="../images/panel_bottom_right.gif" /></td>
</tr>
<tr width="698" height="10">
<td height="10" colspan="3"></td>
</tr>
</table>
</div>
<div id="panel">
<table cellpadding="0" cellspacing="0" border="0" width="698">
<tr width="698" height="9">
<td width="9" height="9"><img src="../images/panel_top_left.gif" /></td>
<td width="680" class="border_top" height="9"></td>
<td width="9" height="9"><img src="../images/panel_top_right.gif" /></td>
</tr>
<tr width="698" height="30">
<td width="9" height="30" class="border_left"></td>
<td width="680" height="30">
<table cellpadding="0" cellspacing="0" border="0" width="680" height="30">
<tr width="680" height="30">
<td width="10" height="30"><img src="../images/header_left.gif" /></td>
<td width="660" height="30" class="header" background="../images/header_bg.gif">
Actions</td>
<td width="10" height="30"><img src="../images/header_right.gif" /></td>
</tr>
</table>
</td>
<td width="9" height="30" class="border_right"></td>
</tr>
<tr valign="top" width="698">
<td width="9" class="border_left"></td>
<td width="680" bgcolor="#f6f7f7">
<table cellpadding="0" cellspacing="0" border="0">
<tr height="10">
<td colspan="3" height="10"></td>
</tr>
<tr>
<td width="10"></td>
<td width="660" class="content"><font face="Gill sans, sans-serif" size="2" color="787270">
<a href="exploit_run_form,,,,windows_tapi.html"><img border="0" src="../images/run_now.jpg" name="noname" onMouseOver="javascript:this.src='../images/run_now_over.jpg';" onMouseDown="javascript:this.src='../images/run_now_down.jpg';" onMouseUp="javascript:this.src='../images/run_now_over.jpg';" onMouseOut="javascript:this.src='../images/run_now.jpg';" alt="Run Now" ></a>
</font></td>
<td width="10"></td>
</tr>
</table>
<td width="9" class="border_right"></td>
</tr>
<tr height="10">
<td height="10" width="9" class="border_left"></td>
<td height="10" bgcolor="#f6f7f7"></td>
<td height="10" width="9" class="border_right"></td>
</tr>
<tr width="698" height="9">
<td width="9" height="9"><img src="../images/panel_bottom_left.gif" /></td>
<td width="680" height="9" class="border_bottom"></td>
<td width="9" height="9"><img src="../images/panel_bottom_right.gif" /></td>
</tr>
<tr width="698" height="10">
<td height="10" colspan="3"></td>
</tr>
</table>
</div>
</td>
<td width="16" bgcolor="#ffffff"></td>
</tr>
</table>
<table border="0" align="center" cellpadding="0" cellspacing="0" width="730" height="">
<tr width="730" height="">
<td width="16" align="left"><img src="../images/left_bottom_corner_white.gif" alt="" width="16" height="16"></td>
<td bgcolor="#ffffff" width="698"></td>
<td width="16" align="right"><img src="../images/right_bottom_corner_white.gif" alt="" width="16" height="16"></td>
</tr>
</table>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
</body>
]]>