Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: pure IE code injection

From: "Tiago Halm" <thalm () netcabo pt>
Date: Sun, 24 Mar 2002 01:48:36 -0000
Windows XP / IE 6 + hotfixes

IE does decode the attachments, the attachment is written in the current
users temp directory (ex: in XP is %USERPROFILE%\Local Settings\Temp)
but the file is written with a temp filename which cannot be known since
it's generation perhaps depends on the local machine or the browser
settings.

The temp filename generation is probably obtained through the
GetTempFilename function, but it's arguments are not known.
In my machine, every time I would browse the page, the filename created
was something like "tmpxxx.tmp" in which the xxx is an hexadecimal
value. This hexadecimal value was incremented by 5 everytime I would
browse the page.

Tiago Halm

-----Original Message-----
From: heyhey_ [mailto:heyhey_ () iname com] 
Sent: sábado, 23 de Março de 2002 18:49
To: vuln-dev () securityfocus com
Subject: pure IE code injection


hi al,

I have successfully injected, executable code through .mhtml page on on
my own development machine. pretty scary stuff.

it seems that IE decodes all 'html attachments' inside Windows temporary
folder (TEMP environment variable) so one can easily 'attach' executable
code and all that he needs to do is to guess the temporary directory.

Tested environment WinNT4 WS sp6+hotfixes, IE 6.0.2600.0000

attached is my ugly test code (zipped .mhtml page). Extract the page,
put it on some web server and access it from IE.

IMPORTANT !
.mhtml page contains Base64 encoded executable file (NT calc.exe) that
may be executed on your local machine if your temporary directory is
c:\temp or d:\temp


P.S. Several friends made quick tests with following results: (I was
unable top monitor tests, so results may be wrong)

WinXP machine - unable to find extracted files on local HDD ?? Win2K
machine - unable to find extracted files on local HDD ?? WinNT + IE 5.5
- file can be found inside C:/WINNT/Profiles/..../Local
Settings/Temporary Internet Files/Content.IE5/QRAPUDEX/ but is not
automatically executed.

-- 
Best regards,
 Ivan                          mailto:heyhey_ () iname com
Previous By Date Next
Previous By Thread Next

Current thread: