Rapid7 Vulnerability & Exploit Database

TeeChart Professional ActiveX Control Trusted Integer Dereference

Back to Search

TeeChart Professional ActiveX Control Trusted Integer Dereference



This module exploits an integer overflow in TeeChart Pro ActiveX control. When sending an overly large/negative integer value to the AddSeries() property of TeeChart2010.ocx, the code will perform an arithmetic operation that wraps the value and is later directly trusted and called upon. This module has been designed to bypass DEP only under IE8 with Java support. Multiple versions (including the latest version) are affected by this vulnerability that date back to as far as 2001. The following controls are vulnerable: TeeChart5.ocx Version (clsid: B6C10489-FB89-11D4-93C9-006008A7EED4); TeeChart6.ocx Version (clsid: 536600D3-70FE-4C50-92FB-640F6BFC49AD); TeeChart7.ocx Version (clsid: FAB9B41C-87D6-474D-AB7E-F07D78F2422E); TeeChart8.ocx Version (clsid: BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196); TeeChart2010.ocx Version 2010.0.0.3 (clsid: FCB4B50A-E3F1-4174-BD18-54C3B3287258). The controls are deployed under several SCADA based systems including: Unitronics OPC server v1.3; BACnet Operator Workstation Version 1.0.76


  • mr_me <steventhomasseeley@gmail.com>
  • sinn3r <sinn3r@metasploit.com>




Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/browser/teechart_pro
msf exploit(teechart_pro) > show targets
msf exploit(teechart_pro) > set TARGET < target-id >
msf exploit(teechart_pro) > show options
    ...show and set options...
msf exploit(teechart_pro) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security