OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
http-equiv_at_excite.com
Date: Wed Aug 14 2002 - 19:34:17 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Wednesday, August 14, 2002

    The following represents a trivial yet elaborate method of injecting
    arbitrary html into the "My Computer" zone on win98 using the
    Internet Explorer series of browsers.

    Internet Explorer enjoys a unique component called the "Web Folder"
    component. This is a selectable component install with the original
    installation of the browser or can be added later on. This unique
    component allows for an assortment of web publishing and authoring
    conveniences, often touted as useful "feature".

    But what it actually does, is create a nicely named file for us in a
    known location.

    Where:

    The Internet Explorer series 5 through 6 enjoy a related behavior to
    the so-called "Web Folder" component which allows us to point
    directly to one of these web folders and traverse it directly.
    However, should the folder not exist, an error message is generated
    and conveniently placed for us in the temp folder:

    So:

    This particular error message is nothing more than a server side 404
    error message which can be modified to suit our needs as we require.

    Commence:

    We first construct our trivial behavior to generate the error message
    like so:

    <body onload=malware() style="behavior: url(#default#httpFolder);">
     <script>
    function malware(){
    document.body.navigate("http://www.microsoft.com");alert
    ("malware");open("file://C%3A%5CWINDOWS%5CTemp%5Cwecerr.txt")
    }
     </script>>

    What this will do is "probe" the target site for a webfolder, and if
    not found, create our error file in the temp folder as follows:

    [screen shot: http://www.malware.com/behave.png 4KB]

    Because the error fie is nothing more than a text file, we need to
    include our own html and allow Internet Explorer to 'read' it.
    Previously numerous possibilities to allow for this existed,
    including <object data="" type="text/html>, databinding with
    dataformatas="HTML", dotting file extensions etc. These now all
    appear to be patched.

    Good:

    But because we can craft our own error message on the server and
    point our trivial behavior to it, we simply construct our error
    message like so:

    MIME-Version: 1.0
    Content-Type: text/html;
     charset="Windows-1252"
    Content-Transfer-Encoding: 7bit

    <br><br>
    <body bgcolor=black>
    <center><font size="24" color="red"
    face="arial">malware</font></center>

    What that will do is generate our simple text file in our temp
    folder, and by merely mhtml'izing our url like so: open
    ("mhtml:file://C%3A%5CWINDOWS%5CTemp%5Cwecerr.txt"), Internet
    Explorer will open our text file in full html splendor.

    Inclusive of whatever other "objects" we so desire.

    [screen shot: http://www.malware.com/your.png 8KB]

    Working Example:

    note: windows98 with temp folder default.
    note: requires the 'web component'
    note: simple text file only for demo purposes

    http://www.malware.com/behave.html

    [screen shot: http://www.malware.com/self.png 12KB]

    Notes:

    1. None.

    End Call 

    --
http://www.malware.com

    *yawn*