CVE-2010-0356
published 2010-01-18CVE-2010-0356: Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 ActiveX control in MoviePlayer.ocx 6.8.0.0 in Viscom Software Movie Player Pro SDK ActiveX 6.8…
PriorityP357critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.38%
98.0th percentile
Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 ActiveX control in MoviePlayer.ocx 6.8.0.0 in Viscom Software Movie Player Pro SDK ActiveX 6.8 allows remote attackers to execute arbitrary code via a long strFontName parameter to the DrawText method.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| viscomsoft | movie_player_pro_sdk_activex | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36
- →Detect instantiation of the vulnerable ActiveX control by its CLSID {F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E} or ProgID MOVIEPLAYER.MoviePlayerCtrl.1 in HTML/script content. ↗
- →Alert on calls to the DrawText method on MOVIEPLAYER.MoviePlayerCtrl.1 where the strFontName (6th) parameter exceeds 24 bytes, as this triggers the stack-based buffer overflow. ↗
- →The exploit targets Windows IE6/7/8 and uses Java for DEP/ASLR bypass on Vista and Win7; monitor for Java-assisted ActiveX exploitation patterns in browser traffic. ↗
- →The Metasploit module uses 'migrate -f' as InitialAutoRunScript; monitor for suspicious process migration activity following browser exploitation. ↗
- →Detect presence of MoviePlayer.ocx (version 6.8.0.0) on endpoints; the control is marked Safe for Script via IObjectSafety but its registry keys are NOT marked safe, making it exploitable from web pages that trick users into trusting the publisher. ↗
- ·Exploitation requires the victim to explicitly trust the publisher 'Viscom Software' in Internet Explorer before the ActiveX control can be instantiated. ↗
- ·The EIP overwrite gadget address (%40%46%E3%77, call EBP in user32.dll) is specific to Windows 2000 Professional SP4; different return addresses are needed for other OS/SP combinations. ↗
- ·The Metasploit module's DEP/ASLR bypass ROP chain uses hardcoded offsets within MoviePlayer.ocx; these offsets are version-specific to 6.8.0.0 and will not apply to other versions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Viscom Software Movie Player Pro SDK ActiveX 6.8 - Stack Buffer Overflow (Metasploit)
exploitdb·2011-11-20
CVE-2010-0356 Viscom Software Movie Player Pro SDK ActiveX 6.8 - Stack Buffer Overflow (Metasploit)
Viscom Software Movie Player Pro SDK ActiveX 6.8 - Stack Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Viscom Software Movie Player Pro SDK ActiveX 6.8',
'Description' => %q{
Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 ActiveX control
in MoviePlayer.ocx 6.8.0.0 in Viscom Software Movie Player Pro SDK ActiveX 6.8 allows
remote attackers to execute arbitrary code via a long strFontName parameter to the
DrawText method.
The victim will first be required to trust the publisher Viscom Software
Exploit-DB
Viscom Software Movie Player Pro SDK ActiveX 6.8 - Remote Buffer Overflow
exploitdb·2010-04-21
CVE-2010-0356 Viscom Software Movie Player Pro SDK ActiveX 6.8 - Remote Buffer Overflow
Viscom Software Movie Player Pro SDK ActiveX 6.8 - Remote Buffer Overflow
---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -----------------------------------------------------------------------------
Viscom Software Movie Player Pro SDK ActiveX 6.8 Remote Buffer Overflow
url: http://www.viscomsoft.com/
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.net/
File name: MoviePlayer.ocx
Version: 6.8.0.0
GUID: {F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E}
ProgID: MOVIEPLAYER.MoviePlayerCtrl.1
Description: MoviePlayer Pro ActiveX
Safety report: RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller, data
IPStorage Safe: Safe for untrusted: caller, data
Vuln. Method: "DrawText"
Vuln. Param.: "st
Metasploit
Viscom Software Movie Player Pro SDK ActiveX 6.8
metasploit
Viscom Software Movie Player Pro SDK ActiveX 6.8
Viscom Software Movie Player Pro SDK ActiveX 6.8
Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 ActiveX control in MoviePlayer.ocx 6.8.0.0 in Viscom Software Movie Player Pro SDK ActiveX 6.8 allows remote attackers to execute arbitrary code via a long strFontName parameter to the DrawText method. The victim will first be required to trust the publisher Viscom Software. This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7 with Java support.
No writeups or analysis indexed.
http://secunia.com/advisories/38156http://www.shinnai.net/exploits/X6hU4E0E7P5H3qH5yXrn.txthttp://www.vupen.com/english/advisories/2010/0093https://exchange.xforce.ibmcloud.com/vulnerabilities/55536http://secunia.com/advisories/38156http://www.shinnai.net/exploits/X6hU4E0E7P5H3qH5yXrn.txthttp://www.vupen.com/english/advisories/2010/0093https://exchange.xforce.ibmcloud.com/vulnerabilities/55536
2010-01-18
Published