cbcvebase.
CVE-2010-0356
published 2010-01-18

CVE-2010-0356: Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 ActiveX control in MoviePlayer.ocx 6.8.0.0 in Viscom Software Movie Player Pro SDK ActiveX 6.8…

PriorityP357critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.38%
98.0th percentile
Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 ActiveX control in MoviePlayer.ocx 6.8.0.0 in Viscom Software Movie Player Pro SDK ActiveX 6.8 allows remote attackers to execute arbitrary code via a long strFontName parameter to the DrawText method.

Affected

1 ranges
VendorProductVersion rangeFixed in
viscomsoftmovie_player_pro_sdk_activex

Detection & IOCsextracted from sources · hover to see the quote

filenameMoviePlayer.ocx
otherCLSID: {F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E}
otherProgID: MOVIEPLAYER.MoviePlayerCtrl.1
commandDrawText strFontName (overly long >24 bytes)
otherROP gadget: 0x10015201 (POP EBP # RETN 08 [MOVIEP~1.OCX])
otherROP gadget: 0x10014361 (MOV ESP,EBP # POP EBP # RETN 08 [MOVIEP~1.OCX])
otherROP gadget: 0x1001c049 (RETN [MOVIEP~1.OCX])
bytes
%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36
  • Detect instantiation of the vulnerable ActiveX control by its CLSID {F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E} or ProgID MOVIEPLAYER.MoviePlayerCtrl.1 in HTML/script content.
  • Alert on calls to the DrawText method on MOVIEPLAYER.MoviePlayerCtrl.1 where the strFontName (6th) parameter exceeds 24 bytes, as this triggers the stack-based buffer overflow.
  • The exploit targets Windows IE6/7/8 and uses Java for DEP/ASLR bypass on Vista and Win7; monitor for Java-assisted ActiveX exploitation patterns in browser traffic.
  • The Metasploit module uses 'migrate -f' as InitialAutoRunScript; monitor for suspicious process migration activity following browser exploitation.
  • Detect presence of MoviePlayer.ocx (version 6.8.0.0) on endpoints; the control is marked Safe for Script via IObjectSafety but its registry keys are NOT marked safe, making it exploitable from web pages that trick users into trusting the publisher.
  • ·Exploitation requires the victim to explicitly trust the publisher 'Viscom Software' in Internet Explorer before the ActiveX control can be instantiated.
  • ·The EIP overwrite gadget address (%40%46%E3%77, call EBP in user32.dll) is specific to Windows 2000 Professional SP4; different return addresses are needed for other OS/SP combinations.
  • ·The Metasploit module's DEP/ASLR bypass ROP chain uses hardcoded offsets within MoviePlayer.ocx; these offsets are version-specific to 6.8.0.0 and will not apply to other versions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.