Vulnerability Development mailing list archives
pure IE code injection
From: heyhey_ <heyhey_ () iname com>
Date: Sat, 23 Mar 2002 20:49:22 +0200
hi al, I have successfully injected, executable code through .mhtml page on on my own development machine. pretty scary stuff. it seems that IE decodes all 'html attachments' inside Windows temporary folder (TEMP environment variable) so one can easily 'attach' executable code and all that he needs to do is to guess the temporary directory. Tested environment WinNT4 WS sp6+hotfixes, IE 6.0.2600.0000 attached is my ugly test code (zipped .mhtml page). Extract the page, put it on some web server and access it from IE. IMPORTANT ! .mhtml page contains Base64 encoded executable file (NT calc.exe) that may be executed on your local machine if your temporary directory is c:\temp or d:\temp P.S. Several friends made quick tests with following results: (I was unable top monitor tests, so results may be wrong) WinXP machine - unable to find extracted files on local HDD ?? Win2K machine - unable to find extracted files on local HDD ?? WinNT + IE 5.5 - file can be found inside C:/WINNT/Profiles/..../Local Settings/Temporary Internet Files/Content.IE5/QRAPUDEX/ but is not automatically executed. -- Best regards, Ivan mailto:heyhey_ () iname com
Attachment:
4.zip
Description:
Current thread:
- pure IE code injection heyhey_ (Mar 23)
- RE: pure IE code injection Tiago Halm (Mar 23)
- <Possible follow-ups>
- Re: pure IE code injection NDR113 NDR113 (Mar 24)