Re: Rather large MSIE-hole

[Slow2Show <sl2sho () yahoo com>]

In-Reply-To: <9956F8424795D411B03B0008C786E60D048D0A7B () DUBNTEX005 qwest net>

::responses to multiple people bleow::

> Eric Brown Wrote
> Could you not create a batch file that housed the 
commands you wanted to run
> (with args) and just run the batch file?
> I apologise if someone has already addressed this.

how would you make this batch file? the only way I 
know would be to use "echo blah >> file.bat" and if 
you do it that way you are still using parameters...so 
we are right back to where we started.


Ryan Sweat mentioned using GG's script injection
ideas outlined in:
http://www.guninski.com/parsedat-desc.html
the only problem with this is that these techniques do 
not work on IE6, they were in IE5.x...I just tested on 
win2k/winXP.
So no go there...

> Felipe Franciosi wrote
> But I couldn't get to work something like:
> var prog...
>       'c:/command.com /c echo bin > c:/list.txt',
>       'c:/command.com /c echo GET something >> 
c:/list.txt'
> this won't create 'list.txt'... Any ideas why? Or how 
some could
> get around it?

read my last post Felipe for info on why this doesn't 
work:
http://online.securityfocus.com/archive/82/261926


> Kevin Wall wrote
> On Win9x systems, rather than targeting FTP or a
> command shell, what about starting up something
> that simply causes a exploitable process to listen on
> some port # (will vary, depending on application)
> and then separately trying to exploit that.

PWS is not installed by default on win9x....and I don't 
belive you can start IIS with one program on XPPro 
box (assuming they have installed that component 
and are just not using it)

> If the User-Agent corresponds to MSIE, then at
> some time late(perhaps wait t minutes later), gently
> port scan the remote IP address to see if the
> application was launched. If the port scan
> succeeds, then go into full exploit mode. (This
> assumes an exploitable application that is normally
> not running and no pesky personal firewalls, etc. to
> be sure. But certainly some combinations would be
> vulnerable given the cluelessness of the typical
> Windoze users and their disdain for ever updating
> their system with security patches.)

I don't have access to a 9x system to test this....but 
this all relys on
1) I am using win9x with IE6(don't forget that is the 
version we are discussing here)
2)that they have installed PWS before and it is 
currently disabled
Then I assume one might be able to do what you are 
describing.

The bottom line is, if you know the path to an exe on 
the system, then you can open it up...the only ways 
this could be an attack vector is if the exe was a 
trojan, or some kind of buggy daemon.

lata,

-Slow2Show-
University of Florida