Vulnerability Development mailing list archives
Re: Rather large MSIE-hole
From: Slow2Show <sl2sho () yahoo com>
Date: 14 Mar 2002 21:01:41 -0000
In-Reply-To: <9956F8424795D411B03B0008C786E60D048D0A7B () DUBNTEX005 qwest net> ::responses to multiple people bleow::
Eric Brown Wrote Could you not create a batch file that housed the
commands you wanted to run
(with args) and just run the batch file? I apologise if someone has already addressed this.
how would you make this batch file? the only way I know would be to use "echo blah >> file.bat" and if you do it that way you are still using parameters...so we are right back to where we started. Ryan Sweat mentioned using GG's script injection ideas outlined in: http://www.guninski.com/parsedat-desc.html the only problem with this is that these techniques do not work on IE6, they were in IE5.x...I just tested on win2k/winXP. So no go there...
Felipe Franciosi wrote But I couldn't get to work something like: var prog... 'c:/command.com /c echo bin > c:/list.txt', 'c:/command.com /c echo GET something >>
c:/list.txt'
this won't create 'list.txt'... Any ideas why? Or how
some could
get around it?
read my last post Felipe for info on why this doesn't work: http://online.securityfocus.com/archive/82/261926
Kevin Wall wrote On Win9x systems, rather than targeting FTP or a command shell, what about starting up something that simply causes a exploitable process to listen on some port # (will vary, depending on application) and then separately trying to exploit that.
PWS is not installed by default on win9x....and I don't belive you can start IIS with one program on XPPro box (assuming they have installed that component and are just not using it)
If the User-Agent corresponds to MSIE, then at some time late(perhaps wait t minutes later), gently port scan the remote IP address to see if the application was launched. If the port scan succeeds, then go into full exploit mode. (This assumes an exploitable application that is normally not running and no pesky personal firewalls, etc. to be sure. But certainly some combinations would be vulnerable given the cluelessness of the typical Windoze users and their disdain for ever updating their system with security patches.)
I don't have access to a 9x system to test this....but this all relys on 1) I am using win9x with IE6(don't forget that is the version we are discussing here) 2)that they have installed PWS before and it is currently disabled Then I assume one might be able to do what you are describing. The bottom line is, if you know the path to an exe on the system, then you can open it up...the only ways this could be an attack vector is if the exe was a trojan, or some kind of buggy daemon. lata, -Slow2Show- University of Florida
Current thread:
- Re: Rather large MSIE-hole, (continued)
- Re: Rather large MSIE-hole Slow2Show (Mar 14)
- RE: Rather large MSIE-hole Ryan Sweat (Mar 14)
- Re: Rather large MSIE-hole Keegan (Mar 14)
- RE: Rather large MSIE-hole Ryan Sweat (Mar 14)
- Re: Rather large MSIE-hole Eric V Brown (Mar 14)
- RE: Rather large MSIE-hole Wall, Kevin (Mar 14)
- Re: Rather large MSIE-hole Paul D. Campbell (Mar 14)
- Re: Rather large MSIE-hole KF (Mar 14)
- Re: Rather large MSIE-hole jon schatz (Mar 14)
- RE: Rather large MSIE-hole Chad Thunberg (Mar 15)
- Re: Rather large MSIE-hole Joerg Over (Mar 15)
- Re: Rather large MSIE-hole KF (Mar 14)
- Re: Rather large MSIE-hole Slow2Show (Mar 14)
- Re: Rather large MSIE-hole Slow2Show (Mar 14)
- RE: Rather large MSIE-hole John Swensson (Mar 14)
- Re: Rather large MSIE-hole NoCoNFLiC (Mar 15)
- Re: Rather large MSIE-hole The Blueberry (Mar 14)
- RE: Rather large MSIE-hole Keith Tyler (Mar 15)
- Re: Rather large MSIE-hole Slow2Show (Mar 15)
- RE: Rather large MSIE-hole Tiago Halm (Mar 16)
- Re: Rather large MSIE-hole Slow2Show (Mar 14)