Exploits
GHDB
Papers
Shellcodes
Search EDB
SearchSploit Manual
Submissions
Online Training
Stats
About Us
Search
Oracle AutoVue 20.0.1 AutoVueX ActiveX Control SaveViewStateToFile Remote File Creation / Overwrite Vulnerability tested against: Internet Explorer 8 Microsoft Windows Server 2003 r2 sp2 download url of a test version: http://www.oracle.com/technetwork/apps-tech/autovue/index.html file: AutoVueDemo2001.zip Background: the mentioned program installs an ActiveX control with the following settings: ProgID: AUTOVUEX.AutoVueXCtrl.1 CLSID: {B6FCC215-D303-11D1-BC6C-0000C078797F} Binary path: C:\PROGRA~1\av\avwin\AutoVueX.ocx Safe for initialization (registry): true Safe for scripting (registry): true This control is marked "safe for scripting" and "safe for initialization", Internet Explorer will allows scripting of this control. Vulnerability: The mentioned class contains the vulnerable SaveViewStateToFile() method, from the typelib: ... /* DISPID=116 */ /* VT_BOOL [11] */ function SaveViewStateToFile( /* VT_BSTR [8] */ $sFileName ) { } ... which allows to create / overwrite files with arbitrary extensions inside arbitrary locations. It was experimented that the content of theese files can be partially controlled by passing a remote file to the RestoreViewStateFromFile() method. The resulting file will look like this: 0 : 6b 00 00 00 07 00 41 56 31 37 5f 32 00 0a 00 56 [k.....AV17_2...V] 10 : 69 65 77 53 74 61 74 65 00 ff ff ff ff 00 00 01 [iewState........] 20 : 00 00 00 01 00 00 00 6f 8f 96 d8 ca 22 71 c1 86 [.......o...."q..] 30 : f0 ca b7 56 a0 b0 e0 00 00 00 00 00 00 00 00 41 [...V...........A] <----- controlled section (AAAA) 40 : 41 41 41 59 fb bb 60 86 f0 ca b7 56 a0 b0 60 00 [AAAY..`....V..`.] 50 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................] 60 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [...............] poc, which overwrites boot.ini: http://retrogod.altervista.org/9sg_autovueiii.zip Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18016.zip (9sg_autovueiii.zip)
