cbcvebase.
CVE-2012-0284
published 2012-07-19

CVE-2012-0284: Stack-based buffer overflow in the SetSource method in the Cisco Linksys PlayerPT ActiveX control 1.0.0.15 in PlayerPT.ocx on the Cisco WVC200 Wireless-G PTZ…

PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.32%
98.3th percentile
Stack-based buffer overflow in the SetSource method in the Cisco Linksys PlayerPT ActiveX control 1.0.0.15 in PlayerPT.ocx on the Cisco WVC200 Wireless-G PTZ Internet video camera allows remote attackers to execute arbitrary code via a long URL in the first argument (aka the sURL argument).

Affected

1 ranges
VendorProductVersion rangeFixed in
ciscolinksys_playerpt_activex_control

Detection & IOCsextracted from sources · hover to see the quote

other{9E065E4A-BD9D-4547-8F90-985DC62A5591}
filenamePlayerPT.ocx
commandobj.SetSource("http://...","mpeg","","","");
versionPlayerPT ActiveX control 1.0.0.15
  • Detect instantiation of the vulnerable ActiveX control by its CLSID {9E065E4A-BD9D-4547-8F90-985DC62A5591} in web pages or registry; exploitation occurs via the SetSource method with an oversized sURL argument.
  • The exploit triggers a stack-based buffer overflow via msvcrt.sprintf inside the SetSource method; look for abnormally long URL strings passed as the first argument to SetSource in browser process memory or network traffic.
  • Exploitation targets Internet Explorer versions 6.0 through 9.0 on Windows; browser user-agent matching NT 5.1/6.0/6.1 with MSIE 6-9 is used by the Metasploit module to select the appropriate ROP chain.
  • For IE 8 on Windows XP SP3, the exploit uses a ROP pivot via msvcrt at 0x77c3546b (ret), 0x77c3546a (pop ebp; ret), and 0x77c35468 (mov esp,ebp; pop ebp; ret); presence of these ROP gadget addresses on the stack is a strong exploit indicator.
  • For JRE-assisted targets, the exploit uses ROP gadgets from msvcr71.dll at 0x7c3424f2 (ret), 0x7c3424f1 (pop ebp; ret), and 0x7c3424ef (mov esp,ebp; pop ebp; ret); these addresses on the stack indicate exploitation attempts against IE 8/9 with Java 6.
  • Heap spray uses 0x0c0c0c0c as the return address for IE 6 and IE 7 targets; detection of this value as an EIP/return address in crash dumps or memory scans indicates exploitation of this vulnerability.
  • ·The Metasploit module targets only Internet Explorer 6.0–9.0 on Windows; other browsers are explicitly rejected by the module's user-agent check.
  • ·The vulnerable component (PlayerPT.ocx version 1.0.0.15) is installed as part of the Cisco WVC200 camera's web interface; the ActiveX control must be present on the victim's Windows system for exploitation to succeed.
  • ·The Metasploit module's payload space is limited to 1024 bytes with NOPs disabled; payloads exceeding this size will not function correctly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.