Vulnerability Development mailing list archives
RE: pure IE code injection
From: "Tiago Halm" <thalm () netcabo pt>
Date: Sun, 24 Mar 2002 01:48:36 -0000
Windows XP / IE 6 + hotfixes IE does decode the attachments, the attachment is written in the current users temp directory (ex: in XP is %USERPROFILE%\Local Settings\Temp) but the file is written with a temp filename which cannot be known since it's generation perhaps depends on the local machine or the browser settings. The temp filename generation is probably obtained through the GetTempFilename function, but it's arguments are not known. In my machine, every time I would browse the page, the filename created was something like "tmpxxx.tmp" in which the xxx is an hexadecimal value. This hexadecimal value was incremented by 5 everytime I would browse the page. Tiago Halm -----Original Message----- From: heyhey_ [mailto:heyhey_ () iname com] Sent: sábado, 23 de Março de 2002 18:49 To: vuln-dev () securityfocus com Subject: pure IE code injection hi al, I have successfully injected, executable code through .mhtml page on on my own development machine. pretty scary stuff. it seems that IE decodes all 'html attachments' inside Windows temporary folder (TEMP environment variable) so one can easily 'attach' executable code and all that he needs to do is to guess the temporary directory. Tested environment WinNT4 WS sp6+hotfixes, IE 6.0.2600.0000 attached is my ugly test code (zipped .mhtml page). Extract the page, put it on some web server and access it from IE. IMPORTANT ! .mhtml page contains Base64 encoded executable file (NT calc.exe) that may be executed on your local machine if your temporary directory is c:\temp or d:\temp P.S. Several friends made quick tests with following results: (I was unable top monitor tests, so results may be wrong) WinXP machine - unable to find extracted files on local HDD ?? Win2K machine - unable to find extracted files on local HDD ?? WinNT + IE 5.5 - file can be found inside C:/WINNT/Profiles/..../Local Settings/Temporary Internet Files/Content.IE5/QRAPUDEX/ but is not automatically executed. -- Best regards, Ivan mailto:heyhey_ () iname com
Current thread:
- pure IE code injection heyhey_ (Mar 23)
- RE: pure IE code injection Tiago Halm (Mar 23)
- <Possible follow-ups>
- Re: pure IE code injection NDR113 NDR113 (Mar 24)