-----------------------------------------------------------------------------
Chilkat Crypt Activex Component Arbitrary File Creation/Execution
url: http://www.chilkatsoft.com
File: ChilkatCrypt2.dll
CLSID: {3352B5B9-82E8-4FFD-9EB1-1A3E60056904}
ProgID: ChilkatCrypt2.ChilkatCrypt2.1
Descr.: Chilkat Crypt2
Marked as:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPersist Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.net
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
Tested on Windows XP Professional SP3 all patched, with Internet Explorer 7
Vulnerable method:
Function WriteFile (
ByVal filename As String ,
ByVal binaryData As Variant
) As Long
Description:
"WriteFile()" method allows to save/overwrite a specified file passed as
argument to "filename" parameter.
Through the second parameter "binaryData()", is possible to write
arbitrary bytes into the created file.
In this poc you'll see that I:
1) var HelloWorld contains bytes of an executable written in C++ and
compiled with gcc. The source is simply as follow:
#include "stdafx.h"
#include "stdlib.h"
int main(int argc, char* argv[]){
printf("Hello World!\n");
system("PAUSE");
return 0;}
2) this file will be written in "c:\HelloWorld.exe"
3) var myHcpProto symply contains these lines:
as you can see, I used a Microsoft control (compatUI.dll) which runs only
from local machine (remote use is not allowed).
4) this file will be written in C:\WINDOWS\PCHealth\HelpCtr\System\sysinfo
5) through the "hcp://" protocol (suggested by rgod), you can execute the
file.
Note that I used unicode format because if you just pass to the control
a string, it will write bytes in unicode way, for example:
test.WriteFile("C:\MyFile.txt", "AA")
will create a file which will contain these bytes: 41004100
-----------------------------------------------------------------------------