============================================================================================
Microsoft DirectX 9 Video Mixer Renderer(msvidctl.dll) ActiveX Multiple Remote Vulnerabilities
===========================================================================================
by
Asheesh Kumar Mani Tripathi
# Vulnerability Discovered By Asheesh kumar Mani Tripathi
# email informationhacker08@gmail.com
# company www.aksitservices.co.in
# Credit by Asheesh Anaconda
# Date 25th Sep 2010
# Description: Microsoft DirectX 9 Video Mixer Renderer ActiveX object corresponding to msvidctl.dll is susceptible to multiple vulnerabilities, including buffer overflow and integer overflow vulnerabilities.
An attacker can exploit this issue by enticing an unsuspecting user to view a malicious webpage.
Successful exploits will allow the attacker to execute arbitrary code within the context of the
application (typically Internet Explorer) that uses the ActiveX control.
It calls CustomCompositorClas in a separate thread. The classid of the affected ActiveX control is
24DC3975-09BF-4231-8655-3EE71F43837D. By enticing a user to visit a malicious page, an attacker can exploit this vulnerability in order to execute arbitrary code on a target's machine.
=============================================Proof Of Concept=============================================
=============================================Detail =============================================
Exception Code: VC_THROW_SEH
Disasm: 7752FBAE LEAVE
Seh Chain:
--------------------------------------------------
1 60BB87E5 MSVidCtl.DLL
2 6C312960 VBSCRIPT.dll
3 77B699FA ntdll.dll
Called From Returns To
--------------------------------------------------
KERNEL32.7752FBAE msvcrt.763132FF
msvcrt.763132FF MSVidCtl.60B007A8
MSVidCtl.60B007A8 MSVidCtl.60B60250
MSVidCtl.60B60250 MSVidCtl.60B50DB8
MSVidCtl.60B50DB8 OLEAUT32.7779546D
OLEAUT32.7779546D OLEAUT32.7779565E
OLEAUT32.7779565E OLEAUT32.77795D7C
OLEAUT32.77795D7C MSVidCtl.60AFF6B6
MSVidCtl.60AFF6B6 VBSCRIPT.6C2C3EB7
VBSCRIPT.6C2C3EB7 VBSCRIPT.6C2C3E27
VBSCRIPT.6C2C3E27 VBSCRIPT.6C2C3397
VBSCRIPT.6C2C3397 VBSCRIPT.6C2C3D88
VBSCRIPT.6C2C3D88 VBSCRIPT.6C2D1302
VBSCRIPT.6C2D1302 VBSCRIPT.6C2C63EE
VBSCRIPT.6C2C63EE VBSCRIPT.6C2C6373
VBSCRIPT.6C2C6373 VBSCRIPT.6C2C6BA5
VBSCRIPT.6C2C6BA5 VBSCRIPT.6C2C6D9D
VBSCRIPT.6C2C6D9D VBSCRIPT.6C2C5103
VBSCRIPT.6C2C5103 SCROBJ.6CAF43F1
SCROBJ.6CAF43F1 SCROBJ.6CAF49AA
SCROBJ.6CAF49AA SCROBJ.6CAF4845
SCROBJ.6CAF4845 SCROBJ.6CAF47E2
SCROBJ.6CAF47E2 SCROBJ.6CAF47A7
SCROBJ.6CAF47A7 A23C33
A23C33 A16AD4
A16AD4 A13158
A13158 A122D7
A122D7 A15182
A15182 A15430
A15430 KERNEL32.7753D0E9
KERNEL32.7753D0E9 ntdll.77BA19BB
ntdll.77BA19BB ntdll.77BA198E
Registers:
--------------------------------------------------
EIP 7752FBAE -> E06D7363 -> Asc: csmcsm
EAX 0013E95C -> E06D7363 -> Asc: csmcsm
EBX 60AFACE8 -> 60B9C8EC
ECX 00000003
EDX 00000000
EDI 0013EAA4 -> AD2D71FC
ESI 0013EA94 -> 00000000
EBP 0013E9AC -> 0013E9E4
ESP 0013E95C -> E06D7363 -> Asc: csmcsm
Block Disassembly:
--------------------------------------------------
7752FB9B PUSH EAX
7752FB9C CALL 7753A4D7
7752FBA1 ADD ESP,C
7752FBA4 LEA EAX,[EBP-50]
7752FBA7 PUSH EAX
7752FBA8 CALL [774F1714]
7752FBAE LEAVE <--- CRASH
7752FBAF RETN 10
7752FBB2 NOP
7752FBB3 NOP
7752FBB4 NOP
7752FBB5 NOP
7752FBB6 NOP
7752FBB7 MOV EDI,EDI
7752FBB9 PUSH EBP
ArgDump:
--------------------------------------------------
EBP+8 E06D7363
EBP+12 00000001
EBP+16 00000003
EBP+20 0013E9D8 -> 19930520
EBP+24 E06D7363
EBP+28 00000001
Stack Dump:
--------------------------------------------------
13E95C 63 73 6D E0 01 00 00 00 00 00 00 00 AE FB 52 77 [csm...........Rw]
13E96C 03 00 00 00 20 05 93 19 F8 E9 13 00 4C F3 BB 60 [............L..`]
13E97C 7F 00 00 00 1D 01 04 18 D8 08 00 00 00 00 00 00 [................]
13E98C 20 00 00 00 00 37 1F 00 18 00 00 00 63 01 00 50 [............c..P]
13E99C 00 37 1F 00 E6 71 BC 77 FF 36 1F 00 FA 36 1F 00 [.....q.w........]
ApiLog
--------------------------------------------------
***** Installing Hooks *****