hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: Hijackclick 3
GovernmentSecurity.org > The Archives > Exploit Articles
qcred11
Jul 12 2004, 07:52 PM
QUOTE


Note: This vulnerability as well as several more can be found at http://www.greyhats.cjb.net

HijackClick 3!!!
Took the name from Liu Die Yu smile.gif

[Tested]
IEXPLORE.EXE file version 6.0.2800.1106
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP sp2

[Discussion]
The HijackClick series have been used to force a drag and drop event simply from the user clicking a something. This is done by moving the window when onmousedown fires. Previously, window.moveBy/To has been used. This has been patched. Apparently, window.resizeBy/To would work too because it gives access denied if it tries to execute when onmousedown fires. Microsoft just disabled those functions from being called when the mouse button is down and called it patched. No more hijackclick, right?

Wrong.

Popup.show() allows you to show a popup with desired left, top, height, and width values. The show() function doesnt give access denied when we call it on mousedown. Let's try it with a link on a popup. I'll make show() move the popup off the screen. Does it work? Yes, it changes the cursor. Good. A drag event just took place. With a little fine-tuning, we can make it show the popup on loading of the main window, move the popup and show a favorites list on mousedown, and set a timer to hide the favorites list and taunt the victim who just got tricked into adding a link of our choice to their favorites list smile.gif.

[Example]
http://freehost07.websamba.com/greyhats/hijackclick3.htm

And when you patch this one, Microsoft, please remember to patch the show() function method cache part, too. You don't want HijackClick4, do you?



Source: http://seclists.org/lists/bugtraq/2004/Jul/0117.html
qcred11
Jul 12 2004, 07:53 PM
QUOTE


<!--


Microsoft just disabled those functions from
being called when the mouse button is down and called it
patched. No more hijackclick,
right?


Wrong.


-->


This is absolutely fantastic Paul, with a patented double-click
of the mouse we can remotely take over the target's computer:


Just substitute as follows:


1. <img src="greyhat.html" id=anch
onmousedown="parent.nsc.style.width=2000;parent.nsc.style.height=
2000;parent.pop.show(1,1,1,1);parent.setTimeout('showalert
()',3000);" style="width=168px;height=152px;background-image:url
('youlickit.gif');cursor:hand" title="click me!"></a>


2. location="shell:favorites\\greyhat[1].htm"


Someone was querying the other day whether shell in Internet
Explorer poses a problem [despite repeated demonstrations].
Pah ! Probably not.


Quick and Dirty Working Demo:


http://www.malware.com/paul.html




Source: http://seclists.org/lists/bugtraq/2004/Jul/0121.html
Paul
Jul 12 2004, 09:11 PM
Hm, friends probly double click the picture ;p
n0vun
Jul 13 2004, 03:14 AM
new poc here:
http://www.malware.com/paul.html
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.